Recent Changes - Search:

libjpeg-turbo Home

About libjpeg-turbo

Downloads

Documentation

Reports

Position Statements

Developer Info

Contact

Digital Signatures

To ensure the integrity of official libjpeg-turbo releases, the files in each release are signed using the methods described below.

Source Tarball (libjpeg-turbo 2.0.6 and later)

The official source tarball is signed using the following GPG key:

https://raw.githubusercontent.com/libjpeg-turbo/repo/main/LJT-GPG-KEY
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x0338c8d8d9fda62cf9c421bd7ec2dbb6f4dbf434

To verify the source tarball signature:

curl -sSL '{key URL}' | gpg --import -
gpg --verify {.sig file}

Source Tarball (libjpeg-turbo 2.0.5 and earlier)

The official source tarball is signed using the following GPG key:

https://raw.githubusercontent.com/libjpeg-turbo/repo/main/LJT-GPG-KEY-1024
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x7d6293cc6378786e1b5c496885c7044e033fde16

To verify the source tarball signature:

curl -sSL '{key URL}' | gpg --import -
gpg --verify {.sig file}

Linux (libjpeg-turbo 2.0.6 and later)

The RPM and DEB packages are signed using the following GPG key:

https://raw.githubusercontent.com/libjpeg-turbo/repo/main/LJT-GPG-KEY
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x0338c8d8d9fda62cf9c421bd7ec2dbb6f4dbf434

To verify the RPM package signatures:

sudo rpm --import '{key URL}'
rpm --checksig {RPM file}

NOTE: The RPM packages in libjpeg-turbo 2.1 beta1 and earlier (except for libjpeg-turbo 2.0.x ESR) do not contain SHA-256 signatures, so it may not be possible to verify the signatures of those packages on systems that restrict the use of the SHA-1 algorithm.

NOTE: The RPM packages in libjpeg-turbo 2.1.5.1 and earlier do not contain SHA-256 header or payload digests, so it may not be possible to verify the signatures of those packages on FIPS-compliant systems.

To verify the DEB package signatures:

sudo apt-get install debsig-verify
sudo debsig-import 7EC2DBB6F4DBF434 '{key URL}'
debsig-verify {DEB file}

debsig-import is available here.

Linux (libjpeg-turbo 2.0.5 and earlier)

The RPM and DEB packages are signed using the following GPG key:

https://raw.githubusercontent.com/libjpeg-turbo/repo/main/LJT-GPG-KEY-1024
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x7d6293cc6378786e1b5c496885c7044e033fde16

To verify the RPM package signatures:

sudo rpm --import '{key URL}'
rpm --checksig {RPM file}

To verify the DEB package signatures:

sudo apt-get install debsig-verify
sudo debsig-import 85C7044E033FDE16 '{key URL}'
debsig-verify {DEB file}

debsig-import is available here.

NOTE: The DEB packages in libjpeg-turbo 1.3 beta1 and earlier were not signed.

Mac (libjpeg-turbo 2.0.3 and later)

The Mac installer package (.pkg) and DMG are signed using, respectively, a Developer ID Installer certificate and a Developer ID Application certificate obtained through the Apple Developer Program.

To verify the Mac installer package/DMG signatures:

codesign -vv {DMG file}
hdid {DMG file}
cd /Volumes/libjpeg-turbo-*
pkgutil --check-signature *.pkg

Windows (libjpeg-turbo 1.3.0 and later)

The Windows installers are signed using a code signing certificate.

Free code signing provided by SignPath.io. Certificate by SignPath Foundation.

To verify the Windows installer package signatures:

Right-click on the .exe file and look at the "Digital Signatures" tab. If you have the Windows SDK installed, you can also run:

signtool verify -pa {.exe file}
Creative Commons LicenseAll content on this web site is licensed under the Creative Commons Attribution 2.5 License. Any works containing material derived from this web site must cite The libjpeg-turbo Project as the source of the material and list the current URL for the libjpeg-turbo web site.

Edit - History - Print - Recent Changes - Search
Page last modified on December 02, 2023, at 11:02 AM