Binary verification
How to verify that your Anyone command-line software is safe to use (security best-practice)
Verifying the integrity and authenticity of downloaded software is a critical security step. This page explains how to confirm that the files you're downloading are created and signed by the official Anyone team and have not been modified in transit.
Every ANON release is cryptographically signed using a trusted GPG key. These signatures allow you to independently verify that the files you're about to use match what the developers intended to publish, free from tampering, corruption, or third-party interference.
This guide works for Windows, Mac or Linux.
Table of Contents:
The steps to verify the anon binaries are advanced but easy to follow:
Installing GnuPG
Windows
Gpg4win https://gpg4win.org/download.html
Mac
GPGTools https://gpgtools.org.
Linux (Debian/Ubuntu)
Verify and Import the Signing Key
To get the official signing key, download it from the Anyone Repository, check if it's the correct key ID published on Anyone Protocol GitHub page and import it to GnuPG.
Download the Signing Key
On Windows or Mac, download the signing key from the Anyone repository.
https://deb.en.anyone.tech/anon.asc
On Linux download it with Wget:
Verify the Signing Key
Check the key ID of the signing key using a terminal window:
If the ID is a match, then you can continue importing the key to your keychain.
If the ID does not match, delete the "anon.asc" file and download the correct signing key.
Import the Signing Key
Verify Release Signatures
In this example we will use the the Release and Release.gpg files from the ../dists/anon-live-bookworm directory to verify the repository.
Download the necessary files from the repo
Verify the Release Signature
If the signature is valid and matches the imported key, you'll see: gpg: Good signature from "Anon Packages [email protected]"
Verify with InRelease
To combine the two steps above verify using the InRelease file.
This checks the inline GPG signature against the contents of the file. It does the same thing as verifying Release.gpg with Release, just in one file.
Verifying Package Files
After confirming that the metadata is signed and valid, you can now proceed to verify the packages.
Inspect Release Checksums
To view and inspect package checksums open the Release file in a text editor on Windows or with the terminal if you are using Linux or Mac:
You'll see some details about the release:
And checksum entries like:
These checksums are used to verify the actual contents of the Packages files and package binaries.
Download the Packages file
For Windows use the direct link:
https://deb.en.anyone.tech/dists/anon-live-bookworm/main/binary-amd64/Packages
For Linux and Mac
Download the file compressed
Or download the file uncompressed
Search for the Binary in the Packages file
You'll get the following or similar output, it's different for each binary:
Binary Verification
Binary Verification on Linux or Mac
Download the Anon Binary https://deb.en.anyone.tech/pool/main/a/anon/anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb
Use sha256sum to check the SHA256 of the file
You'll get the following or similar output, it's different for each binary:
Confirm that the SHA256 hash matches what’s listed for the deb file in Packages
If a hash does not match, delete the binary and return to Download the Anon Binary.
Binary Verification on Windows
For this example we will verify the same .deb file as before. To find Windows executable, see GitHub Releases.
Download the Anon bookworm Binary https://deb.en.anyone.tech/pool/main/a/anon/anon_0.4.9.11-live-1~d12.bookworm+1_amd64.deb
From a Command Prompt or PowerShell, check the SHA256 hash of the downloaded binary.
You'll get the following or similar output, it's different for each binary:
Confirm that the SHA256 hash matches what’s listed for the deb file in Packages
If a hash does not match, delete the binary and return to Download the Anon Binary.