About libjpeg-turbo
Reports
Position Statements Developer Info |
Digital SignaturesTo ensure the integrity of official libjpeg-turbo releases, the files in each release are signed using the methods described below. Source Tarball (libjpeg-turbo 2.0.6 and later)The official source tarball is signed using the following GPG key: https://raw.githubusercontent.com/libjpeg-turbo/repo/main/LJT-GPG-KEY To verify the source tarball signature: curl -sSL '{key URL}' | gpg --import - gpg --verify {.sig file} Source Tarball (libjpeg-turbo 2.0.5 and earlier)The official source tarball is signed using the following GPG key: https://raw.githubusercontent.com/libjpeg-turbo/repo/main/LJT-GPG-KEY-1024 To verify the source tarball signature: curl -sSL '{key URL}' | gpg --import - gpg --verify {.sig file} Linux (libjpeg-turbo 2.0.6 and later)The RPM and DEB packages are signed using the following GPG key: https://raw.githubusercontent.com/libjpeg-turbo/repo/main/LJT-GPG-KEY To verify the RPM package signatures: sudo rpm --import '{key URL}' rpm --checksig {RPM file} NOTE: The RPM packages in libjpeg-turbo 2.1 beta1 and earlier (except for libjpeg-turbo 2.0.x ESR) do not contain SHA-256 signatures, so it may not be possible to verify the signatures of those packages on systems that restrict the use of the SHA-1 algorithm. NOTE: The RPM packages in libjpeg-turbo 2.1.5.1 and earlier do not contain SHA-256 header or payload digests, so it may not be possible to verify the signatures of those packages on FIPS-compliant systems. To verify the DEB package signatures: sudo apt-get install debsig-verify sudo debsig-import 7EC2DBB6F4DBF434 '{key URL}' debsig-verify {DEB file}
Linux (libjpeg-turbo 2.0.5 and earlier)The RPM and DEB packages are signed using the following GPG key: https://raw.githubusercontent.com/libjpeg-turbo/repo/main/LJT-GPG-KEY-1024 To verify the RPM package signatures: sudo rpm --import '{key URL}' rpm --checksig {RPM file} To verify the DEB package signatures: sudo apt-get install debsig-verify sudo debsig-import 85C7044E033FDE16 '{key URL}' debsig-verify {DEB file}
NOTE: The DEB packages in libjpeg-turbo 1.3 beta1 and earlier were not signed. Mac (libjpeg-turbo 2.0.3 and later)The Mac installer package (.pkg) and DMG are signed using, respectively, a Developer ID Installer certificate and a Developer ID Application certificate obtained through the Apple Developer Program. To verify the Mac installer package/DMG signatures: codesign -vv {DMG file} hdid {DMG file} cd /Volumes/libjpeg-turbo-* pkgutil --check-signature *.pkg Windows (libjpeg-turbo 1.3.0 and later)The Windows installers are signed using a code signing certificate. Free code signing provided by SignPath.io. Certificate by SignPath Foundation. To verify the Windows installer package signatures: Right-click on the .exe file and look at the "Digital Signatures" tab. If you have the Windows SDK installed, you can also run: signtool verify -pa {.exe file} |
All content on this web site is licensed under the Creative Commons Attribution 2.5 License. Any works containing material derived from this web site must cite The libjpeg-turbo Project as the source of the material and list the current URL for the libjpeg-turbo web site. |