Follow @Openwall on Twitter for new release announcements and other news

This page (https://www.openwall.com/signatures/) is the place to get the current GnuPG keys that you can use to verify signatures on software you can obtain from www.openwall.com, its mirrors, and the Owl download mirrors.

Note that a valid signature does not guarantee that this website itself hasn't been compromised. Keep in mind that if this website ever gets compromised, an intruder would be able to replace the public keys posted here, not just a software package they might want to backdoor. For greater assurance, verify signatures on the key itself and/or use a copy of the key that you had for long enough for a possible website compromise to be likely detected - yet check this web page once in a while for information on a possible key compromise and/or replacement.

Please note that we use only the then-current "offline" key (and never the "online" key) to sign anything downloadable directly from this website (rather than through a link to a mirror). We also use the "offline" key on some other occasions (e.g., to sign major Owl releases).

We use the "online" key for signing some *.mtree files for Owl snapshots, which are typically generated and signed on our development server. Thus, these signatures provide less assurance than those made with the "offline" key do. We estimate that the "online" key is more likely (than the "offline" key) to get compromised (through the corresponding private key leaking to an intruder from a server).

The primary use for signatures made with the "online" key is for you to be able to verify that your Owl downloads (which are typically made from mirrors and via "insecure" protocols) haven't been tampered with as compared to the files stored on our mirrors feed. (For those familiar with Linux kernel downloads from kernel.org, our "online" key is similar to "Linux Kernel Archives Verification Key" in the way we're using it and in the level of assurance it provides.)