Binary verification

Verifying the integrity and authenticity of downloaded software is a critical security step. This page explains how to confirm that the files you're downloading are created and signed by the official Anyone team and have not been modified in transit.

Every ANON release is cryptographically signed using a trusted GPG key. These signatures allow you to independently verify that the files you're about to use match what the developers intended to publish, free from tampering, corruption, or third-party interference.

Table of Contents:

The steps to verify the anon binaries are advanced but easy to follow:

• Installing the required tools (such as GPG)

• Importing the official Anyone signing key

• Verifying release signatures

• Verifying package files

• Verifying binaries

Installing GnuPG

Windows

Gpg4win https://gpg4win.org/download.html

Mac

GPGTools https://gpgtools.org.

Linux (Debian/Ubuntu)

Verify and Import the Signing Key

To get the official signing key, download it from the Anyone Repository, check if it's the correct key ID published on Anyone Protocol GitHub page and import it to GnuPG.

Download the Signing Key

On Windows or Mac, download the signing key from the Anyone repository.

https://deb.en.anyone.tech/anon.asc

On Linux download it with Wget:

Verify the Signing Key

Check the key ID of the signing key using a terminal window:

Import the Signing Key

Verify Release Signatures

In this example we will use the the Release and Release.gpg files from the ../dists/anon-live-bookworm directory to verify the repository.

Download the necessary files from the repo

Verify the Release Signature

Verify with InRelease

To combine the two steps above verify using the InRelease file.

This checks the inline GPG signature against the contents of the file. It does the same thing as verifying Release.gpg with Release, just in one file.

Verifying Package Files

After confirming that the metadata is signed and valid, you can now proceed to verify the packages.

Inspect Release Checksums

To view and inspect package checksums open the Release file in a text editor on Windows or with the terminal if you are using Linux or Mac:

You'll see some details about the release:

And checksum entries like:

These checksums are used to verify the actual contents of the Packages files and package binaries.

Download the Packages file

For Windows use the direct link: https://deb.en.anyone.tech/dists/anon-live-bookworm/main/binary-amd64/Packages

For Linux and Mac

Download the file compressed

Or download the file uncompressed

Search for the Binary in the Packages file

You'll get the following or similar output, it's different for each binary:

Binary Verification

Binary Verification on Linux or Mac

Download the Anon Binary https://deb.en.anyone.tech/pool/main/a/anon/anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb

Use sha256sum to check the SHA256 of the file

You'll get the following or similar output, it's different for each binary:

Binary Verification on Windows

For this example we will verify the same .deb file as before. To find Windows executable, see GitHub Releases.

Download the Anon bookworm Binary https://deb.en.anyone.tech/pool/main/a/anon/anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb

From a Command Prompt or PowerShell, check the SHA256 hash of the downloaded binary.

You'll get the following or similar output, it's different for each binary: