Our signing process

When we build package archive files, both binary and source, we digitally sign them using GnuPG and our public signing key.

Checking signatures

To check the signatures, use our public signing key with any OpenPGP-compatible implementation. For instance, using GnuPG, the appropriate command for checking a detached signature is

gpg --verify filename.asc filename

Here's an example session, after having retrieved a RabbitMQ source archive and its associated detached signature from the download area:

$ gpg --verify rabbitmq-0.0.tar.gz.asc rabbitmq-0.0.tar.gz
gpg: Signature made Mon 29 Jan 2007 05:33:27 PM GMT using DSA key ID E96F1FA7
gpg: Good signature from "RabbitMQ Signing Key <packaging@rabbitmq.com>"

If the signature is valid, you will expect a "Good signature" message; if it is invalid, you will see a "BAD signature" message.