The Debian repositories on www.lesbonscomptes.com are signed, and most of the other download files
are checksummed and signed. The following describes how to download and set up the public keys, and
how they are used.






The first section 'Quick' if you are in a hurry or not interested by the details. See 'More details'
further on for other explanations.










Installing the repository keys for apt






    

  • 

    Download the repository keyring
    

    • 

  • 

    Copy the resulting lesbonscomptes.gpg to /usr/share/keyrings/.
    

    • 







File checksums and signatures




Most distribution files (tar, zip, setup…​)  have associated sha256 checksum files. This allows
checking that the files are not corrupted by copying or transmission.






E.g, after downloading recoll-1.21.5.tar.gz, and recoll-1.21.5.tar.gz.sha256, you can run the
following to verify the file integrity:








sha256sum recoll-1.21.5.tar.gz > mynewchecksum
diff mynewchecksum recoll-1.21.5.tar.gz.sha256








Using gpg, you can verify the file integrity and origin - it was signed by me - in one step:








pg: assuming signed data in 'upmpdcli-1.9.8.tar.gz'
gpg: Signature made Sat 20 Dec 2025 01:58:41 PM CET
gpg:                using RSA key F8E3347256922A8AE767605B7808CE96D38B9201
gpg: Good signature from "Jean-Francois Dockes <jf@dockes.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F8E3 3472 5692 2A8A E767  605B 7808 CE96 D38B 9201














More details about the signatures






The download files have detached gpg signatures (same file name, with '.asc' added). These provide a
security against tampering on the WEB server or in transit while downloading.






To help trusting that the public key is indeed mine (in case the web server was compromised), it is
also stored on an independant web site (different hosting provider, passwords, etc):






http://www.recoll.org/pages/dockes-key.html






This is also unsecure because you don’t really know that I (J.F. Dockes) set up the site. Still,
it’s an additional element which an attacker would need to control.






See the gnupg WEB site about how to import a
public key.






You can then check the signature on any file by downloading the parallel .asc file and using, e.g.:








gpg --verify some-tar-file.tar.gz.asc












Reference information






The GNU Privacy Handbook






More info on OpenPGP
good practices






Validating GPG keys