# Binary verification Verifying the integrity and authenticity of downloaded software is a critical security step.\\ \ This page explains how to confirm that the files you're downloading are created and signed by the official Anyone team and have not been modified in transit. Every ANON release is cryptographically signed using a trusted GPG key. \ These signatures allow you to independently verify that the files you're about to use match what the developers intended to publish, free from tampering, corruption, or third-party interference. {% hint style="success" %} This guide works for Windows, Mac or Linux. {% endhint %} ## Table of Contents: The steps to verify the anon binaries are advanced but easy to follow: * [Installing the required tools (such as GPG)](#installing-gnupg) * [Importing the official Anyone signing key](#verify-and-import-the-signing-key) * [Verifying release signatures](#verify-release-signatures) * [Verifying package files](#verifying-package-files) * [Verifying binaries](#binary-verification) *** ## Installing GnuPG ### Windows Gpg4win\ ### Mac GPGTools\ [https://gpgtools.org](https://gpgtools.org/). ### Linux (Debian/Ubuntu) ```bash sudo apt-get install gnupg ``` {% hint style="info" %} GnuPG is normally installed by default on most Linux operating systems {% endhint %} ## Verify and Import the Signing Key To get the official signing key, download it from the Anyone Repository, check if it's the [correct key ID](https://github.com/anyone-protocol/ator-protocol?tab=readme-ov-file#keys-that-can-sign-a-release) published on Anyone Protocol GitHub page and import it to [GnuPG](https://www.gnupg.org/). ### Download the Signing Key On Windows or Mac, download the signing key from the Anyone repository. {% hint style="info" %} With some browsers you can view and save the contents of the key file manually using:\ `view-source:https://deb.en.anyone.tech/anon.asc` {% endhint %} On Linux download it with Wget: ```bash wget https://deb.en.anyone.tech/anon.asc ``` ### Verify the Signing Key Check the key ID of the signing key using a terminal window: ```bash gpg anon.asc ``` {% hint style="info" %} The ID is published on the official [GitHub repository for the Anyone Protocol](https://github.com/anyone-protocol/ator-protocol?tab=readme-ov-file#keys-that-can-sign-a-release): {% endhint %} {% hint style="success" %} If the ID is a match, then you can continue importing the key to your keychain. {% endhint %} {% hint style="danger" %} If the ID **does not** match, delete the "anon.asc" file and [download the correct signing key](#download-the-signing-key). {% endhint %} ### Import the Signing Key ```bash gpg --import anon.asc ``` ## Verify Release Signatures In this example we will use the the `Release` and `Release.gpg` files from the `../dists/anon-live-bookworm` directory to verify the repository. ### Download the necessary files from the repo ```bash wget https://deb.en.anyone.tech/dists/anon-live-bookworm/Release ``` ```bash wget https://deb.en.anyone.tech/dists/anon-live-bookworm/Release.gpg ``` ### Verify the Release Signature ```bash gpg --verify Release.gpg Release ``` {% hint style="success" %} If the signature is valid and matches the imported key, you'll see:\ gpg: Good signature from "Anon Packages " {% endhint %} ### Verify with InRelease To combine the two steps above verify using the `InRelease` file. ```bash wget https://deb.en.anyone.tech/dists/anon-live-bookworm/InRelease gpg --verify InRelease ``` This checks the inline GPG signature against the contents of the file. It does the same thing as verifying `Release.gpg` with `Release`, just in one file. ## Verifying Package Files After confirming that the metadata is signed and valid, you can now proceed to verify the packages. ### Inspect Release Checksums To view and inspect package checksums open the `Release` file in a text editor on Windows or with the terminal if you are using Linux or Mac: ```bash less Release ``` You'll see some details about the release: ``` Origin: Anon Label: Anon Codename: anon-live-bookworm Date: Wed, 23 Apr 2025 09:25:31 UTC Architectures: amd64 arm64 Components: main Description: Anon Debian Boookworm Live ``` And checksum entries like: ``` MD5Sum: 517f33fcdd0c3457d07ade7377c69481 4317 main/binary-amd64/Packages faad00dfd4ba531d4943ad24ac05f92d 2142 main/binary-amd64/Packages.gz ... SHA1: 4b57931202694b5bffb83eac2e26ac2d05553a6b 4317 main/binary-amd64/Packages 9346467ecd5191d547f981c9a0a84f62abef1fdb 2142 main/binary-amd64/Packages.gz ... SHA256: 54a0a77a37a43a958d928ac18ffe4801206dcb267f14bfcaa0fe74018a159990 4317 main/binary-amd64/Packages f4642972c01ab1cab6e9940b8e4cdd37620eb754e5810e558fb0dff57dd9a8c3 2142 main/binary-amd64/Packages.gz ... SHA512: 2228e674d09dba931500acf52b93db896cfcc33453e98c82624c22e4f0e4eaeaf708c3c047e418827d55b8a597b7ed53fba2f00b71843f738207d66acee573e9 4317 main/binary-amd64/Packages ce6049932b4190d840c9d4aa5cb12ff0c9a4527b26b5363178c59dd4dd470347871faa03d0cbf847f3daf7a3c499a134074181d79c7eeb0f0212e209cf2b937c 2142 main/binary-amd64/Packages.gz ``` These checksums are used to verify the actual contents of the `Packages` files and package binaries. ### Download the Packages file #### For Windows use the direct link: #### For Linux and Mac Download the file compressed ```bash wget https://deb.en.anyone.tech/dists/anon-live-bookworm/main/binary-amd64/Packages.gz ``` ``` gunzip Packages.gz ``` Or download the file uncompressed ```bash wget https://deb.en.anyone.tech/dists/anon-live-bookworm/main/binary-amd64/Packages ``` Search for the Binary in the `Packages` file ```bash grep -A 5 'pool/main/a/anon/anon_' Packages ``` You'll get the following or similar output, it's different for each binary: ``` Filename: pool/main/a/anon/anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb Size: 2137752 SHA512: 700513e638268e9fc84e9c7ad5e4e4fb4764fd27d9e4c81465bd19b1d96ef48bd21cf195fc26e945d7dc28d8ea26d2c3a678028a2b751134d719207b4901d092 SHA256: d2ce6070d1cf083458bb5dfb7903f5db327c6b932652da24f280e6ed205dcc5d SHA1: a9834617b19fffc47c5449dab99126d5429cd1c4 MD5sum: 8880097147b595680511a0ddd29d7405 ``` ## Binary Verification ### Binary Verification on Linux or Mac Download the Anon Binary\ ```bash wget https://deb.en.anyone.tech/pool/main/a/anon/anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb ``` Use `sha256sum` to check the SHA256 of the file ``` sha256sum anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb ``` You'll get the following or similar output, it's different for each binary: ``` d2ce6070d1cf083458bb5dfb7903f5db327c6b932652da24f280e6ed205dcc5d anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb ``` {% hint style="success" %} Confirm that the SHA256 hash matches what’s listed for the deb file in `Packages` {% endhint %} {% hint style="danger" %} If a hash does not match, delete the binary and return to [Download the Anon Binary](#download-the-anon-binary). {% endhint %} ### Binary Verification on Windows For this example we will verify the same .deb file as before. To find Windows executable, see [GitHub Releases](https://github.com/anyone-protocol/ator-protocol/releases). Download the Anon bookworm Binary\ From a Command Prompt or PowerShell, check the SHA256 hash of the downloaded binary. ```powershell certutil -hashfile sha256sum anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb SHA256 ``` You'll get the following or similar output, it's different for each binary: ``` SHA256 hash of .\anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb: d2ce6070d1cf083458bb5dfb7903f5db327c6b932652da24f280e6ed205dcc5d CertUtil: -hashfile command completed successfully. ``` {% hint style="success" %} Confirm that the SHA256 hash matches what’s listed for the deb file in `Packages` {% endhint %} {% hint style="danger" %} If a hash does not match, delete the binary and return to [Download the Anon Binary](#download-the-anon-binary). {% endhint %}