Verifying Releases

fabio releases can be verified by comparing the SHA256 checksum and by verifying the checksums with a GPG key.

You can verify the SHA256 checksums with the GPG key below. You can also download it from most key servers using the ID D8B19A29317E92E470D7CD67021E03CADDA53977

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFHXufMBCADO35ztkc+e22Oyfxa7npmqljgZs4O3qFB3YBY0AiFqZ+YDwc1P
2sb9r76M6J9sMiijFHZ4NZkHm1NOPgiEK13fLc/cDlrDMbbv7yqrBlYZuaQxPvCw
Bv+zAyVyNqy79sbQpXId7bokAMthrAf69x9F1/HaBmqspi6/8JWcQmNcGVqaABRk
eQSB/Oq8DYBawroMRUGNtyTMKJ5FAbsYeDH7kiOlBtJxaxdhzlMX/4W6PUVXCOF+
44CKVWl7eIwXkdbkAVOy2AgqG6b+X9svbjNvV0GFErozHwCjIxSKT2m/jTkey4oq
st9eBuNClEKtduxjCzkbhLX+Xvqg9vPNCY1NABEBAAG0K0ZyYW5rIFNjaHJvZWRl
ciA8ZnJhbmsuc2Nocm9lZGVyQGdtYWlsLmNvbT6JAT4EEwECACgCGy8GCwkIBwMC
BhUIAgkKCwQWAgMBAh4BAheABQJX1Z3mBQkJwErzAAoJEAIeA8rdpTl3MucIAIqx
0qPeNCiT0EnJfMNaI0ttx/+Y+hF/35XqXbuhAXDPUSwqyNAt+6qdKwnc7J4ZVZx6
rdH0jUoNbXoN/y/QUsmtktiQqmnyFaAT3CUphg5ZcB6g+/RUPJ0uyXY+UgB7LhLd
tyYyxJamfhpf0O+IEVQ+MqTvI6glCoN0s7LGGJR+/E5xbrJv8VdGrHFSPe6i4nU9
axz38MzEkHPDYUcd+6QaYN82tiuL+ipkHudOOs4aO02x18g6cg7BBZFKrAPLP7SX
TTG94mRhf9OEeKc/gTrHqQ+ZBrwyDZKS13LHoHYLkRVIyWDl3t3SU/U+TGsroR4a
dGQoe4tJPzZ3X5hAlK20JkZyYW5rIFNjaHJvZWRlciA8ZnJzY2hyb2VkZXJAZWJh
eS5jb20+iQE+BBMBAgAoAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCV9Wd
5gUJCcBK8wAKCRACHgPK3aU5d5hFCACe+JXpMRfqsfvc8rc4euxg0GSQGI8XfBx+
qziCO37cPTtAxyQGg5Z/ZXe6xv1kDP73mUkpZ9DLBlbCdYtC/l1LG+cYV8f/sa9K
FTn924j86R5ABqwgyo2ACE5iDFOA52ud2ZqVrjjOfqzShQZGanM+X+9A+5NHO7ZD
RG2LqR+b9VG8bKIhbCddu6q0/CB722PSqCVo4tAZ4W6oiA2D6QB/GfMUswSntN7e
nhyjEWM6701Kk5hcTrsAIEMPRLwz+NwEb63cJ5XNsIl6vIsBkGtuxTSz/2/ecwlp
hh4XWLTG+I+AkEo4mUUCMdieRf+IGjXXnogmJyfGtE2BTraO+v48tC1GcmFuayBT
Y2hyb2VkZXIgPGZyYW5rLnNjaHJvZWRlckBnby1sZWZ0LmNvbT6JAT4EEwECACgC
Gy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJX1Z3mBQkJwErzAAoJEAIeA8rd
pTl3qqkH/2Jmm44cZNDAmleoOq/gOBdDUE1Ot8wiNOnaa08Eem9DyRJ312TDXUTu
gyCyNFfimln4G+XYRqw6r1Vxxtv7VMZmAaVd2q6aAC+SEbAYo32mNU5cVF1FTu04
VTUlkV5jkG1mHBOVs3yxkxd+YPZQsXD3GaaFhd6/NCpqrAxzkGcEZvoHWz8vGTlf
RxX5qnQeLg8VxttjSuXpfHbYptAwYmX+nDC6lL9IriJhRFtH3dVed2iHIiYtxlF6
7enUv6PndL1GHHXNzl5CFtJaG2Tr8NgdCTycymLAonXvm8j4zE1jRihnZ4TS+6Zk
UYS6G01WlBeHLEvCCxt8vpzKQFgg0kS5AQ0EUde58wEIAMgdQBVvrzrIJmN6i5B0
6Ey7bUBUijqiAQ5ful+aKANEePdshgapphfJstRAz+ppjZsBwN2XKFtVbY5znzDZ
dukvqB8A9KXOt0a4TT/q9JPE2ivlhp2ldhAr8LUcBNSLNTKKR5HwOSrMVxTaP6Pq
ZwbeW6NuDsPCLk0YpkcT13YrDK29IObZMr6g7UkZ3UD0w99OveQdimMvslIwd/sp
wP9oRefqZ1vhyllOA0SFmSlzTk7iSLrBzoGAXALhGpUdxN1LsCIvDZGydm7YtOGX
GOu+VTA6odHOB5urEEGn+dMPlF1qEcqirvYFmnamcnjrhn2nbxLn8jz2MRlNTGPt
88sAEQEAAYkCRAQYAQoADwIbLgUCV9WeGQUJCcBLJgEpwF0gBBkBCgAGBQJR17nz
AAoJEE1lxursh97NIVsH/i1edqJvxH2naj49hMp3m8OSUj0cOkTA1rebeF33YFLn
XqHUdL1DelFQIZ8zXcS5E5iB7OceqxNjoJaGU0k4yXg4IU52xtHcwM2FqxtRNMds
4yb+Hpopm2oLl9lsnA/Rm9pqNGoVN6Hc/mbueYpVxB1jKFqH1mX3+G/h5Z6YzPXg
jf6F8SLgM1kfJA7zb77Gghe5+xtYNGqoqRFne3YqHApXYfTbOFxr+5+32v2m7ib/
OI4p5Zq/y/F5+QLn+phGsWeYrmGCalyTzxCZvDgtgDsucqF55G8EIxiPQ/IQrs+y
/VuL+nvIZjKJO8X8r0AXNk7HA/KTxTUkRYArAwLj+skJEAIeA8rdpTl3nnYH/1z6
tNBVVDRl/jU9m0yj4PpNMZUjd+t0jH3WzMrqKbN7/Io8kFCLJdmg4+97tXjVtRbR
CWw7K43cOpQchXh3t+cwtcfdJd6TOqJCO21laQL0CBIZlNS9lQ7c4J9eew3MKe4Y
D22kOes/SXAIONU/KNP+aLXy8iMvXcxKe3vsZj4g4Huk4+mXkoFIrVit/tm7PIqm
VZd8lFRK841qZdL+vc/JQR8b8o3CtTbBJ4KO/sylw0M0EHsIQv2TL//NABiCuob/
gjpASGi/ZqGVKl/twu9ZaL3Z07uOGOlAlvU5VVlA/1gf39BoUA1ZL5loPNlERPIF
oqPZ3VIfhRjqQbvOnDU=
=OeUJ
-----END PGP PUBLIC KEY BLOCK-----

Checksum Verification

If you would like to verify the checksum of a fabio download, please note that only the sha256 file is signed by the GPG key below. The binaries themselves are not signed, but rather hashed. To verify the integrity of a particular binary:

Download the binary, sha256, and sha256.sig files Verify the sha256 file is properly signed Verify the sha256 in the file matches the binary

For example:

# This is the public key from above - one-time step.
gpg --import magiconair.asc

# Download the binary and signature files.
curl -OsL https://github.com/eBay/fabio/releases/download/v1.3.2/fabio-1.3.2-go1.7.1_linux-amd64
curl -OsL https://github.com/eBay/fabio/releases/download/v1.3.2/fabio-1.3.2.sha256
curl -OsL https://github.com/eBay/fabio/releases/download/v1.3.2/fabio-1.3.2.sha256.sig

# Verify the signature file is untampered.
gpg --verify fabio-1.3.2.sha256.sig fabio-1.3.2.sha256

# Verify the SHASUM matches the binary.
shasum -a 256 -c fabio-1.3.2.sha256

Note

Parts of this text have been taken from the HashiCorp Security Page which describes the procedure which is also used for fabio.