ContextQMD
Back to Stirling Pdf

Verifying Stirling-PDF Release Artifacts

docs/security/VERIFYING_RELEASES.md

2.10.04.0 KB
Original Source

Verifying Stirling-PDF Release Artifacts

Every Linux release artifact (.AppImage, .rpm, .deb) is signed with the Stirling-PDF release signing key. Users are encouraged to verify downloads before running them, especially when obtaining Stirling-PDF from a mirror, redistributor, or any source other than the official GitHub Releases page.

Signing key

FieldValue
User IDStirling PDF Inc. <[email protected]>
FingerprintEBB9 258B FEA4 7D92 342F 00DF B8C0 96A5 9BEF 2A8B
AlgorithmRSA-4096
Valid until2031-04-16

The public key is committed to this repository at docs/security/signing-key.pub and is also published on:

Cross-checking the fingerprint from two independent sources (the repository and a keyserver) is the recommended way to be sure you've obtained the genuine key.

One-time setup — import the public key

bash
# Option 1 — from the repo over HTTPS
curl -fsSL https://raw.githubusercontent.com/Stirling-Tools/Stirling-PDF/main/docs/security/signing-key.pub \
  | gpg --import

# Option 2 — from a keyserver
gpg --keyserver hkps://keys.openpgp.org \
    --recv-keys EBB9258BFEA47D92342F00DFB8C096A59BEF2A8B

Confirm the fingerprint matches after import:

bash
gpg --fingerprint [email protected]
# Expected: EBB9 258B FEA4 7D92 342F  00DF B8C0 96A5 9BEF 2A8B

Verifying an .AppImage

Tauri's AppImage bundler embeds the signature inside the AppImage itself via appimagetool --sign. Extract and verify:

bash
# --appimage-signature prints the embedded signature
./Stirling-PDF_*.AppImage --appimage-signature > sig.asc
./Stirling-PDF_*.AppImage --appimage-offset                  # shows the offset
# Verify the payload signature against the key
gpg --verify sig.asc Stirling-PDF_*.AppImage

A successful result looks like:

gpg: Good signature from "Stirling PDF Inc. <[email protected]>" [ultimate]

Verifying an .rpm

RPM signatures are verified via rpm --checksig:

bash
# Import the key into rpm's keyring
sudo rpm --import docs/security/signing-key.pub   # if working from a clone
# OR
sudo rpm --import https://raw.githubusercontent.com/Stirling-Tools/Stirling-PDF/main/docs/security/signing-key.pub

# Verify the package
rpm --checksig Stirling-PDF-*.rpm
# Expected output ends with: "digests signatures OK"

Verifying a .deb

Debian packages are signed with a detached .asc file distributed alongside the .deb on the release page:

bash
gpg --verify Stirling-PDF-*.deb.asc Stirling-PDF-*.deb

What if verification fails?

A failed signature check means do not install the file. Possible causes:

  • The download was corrupted — try again from the official releases.
  • You obtained the file from a malicious mirror — get it from the official source.
  • The signing key has rotated — check this document on the latest main for the current fingerprint.

If none of those explain it, please open a security report at https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/new.

Key rotation policy

The signing key expires on 2031-04-16. We will publish a new key at least six months before expiry. The transition process:

  1. A new key is announced in release notes and this document is updated.
  2. The last few releases will be co-signed with both the old and new keys.
  3. The old key is published with a revocation notice once the transition is complete.

If the signing key is ever compromised, a revocation certificate will be published immediately to both keyservers and to this document.