GPG signature for server package?

Hi there,

When Seafile was hosted on Bintray, it was easy to obtain a GPG signature (.asc file) to verify the package. Now that Seafile is hosted internally, where can we get the GPG signatures?




For what? What is host system for server? I don’t know Bintray then I don’t know how you want verify the package. Have 4 running seafile server and didn’t needed to do that. So please provide better explain.

@holantomas This is a security question. A package can have a GPG signature file generated which proves that the file was not tampered with, and also that the file was generated by Seafile themselves (and not a malicious entity posing as Seafile).

Yes, but what Is server OS?

@holantomas Linux.

I don’t think you understand what I mean. I am requesting that Seafile provide a signature file for the package. You cannot verify a package without a signature file being provided.

Oh sorry, now a Get your question (I will stop reading questions by morning) :smiley:

if you look here there is XML Feed with all files. You can look at file you download and there is ETag element. This is MD5 sum of file sou you can check it.

1 Like

Thanks for the link @holantomas. An MD5 sum is good for verifying integrity, but it does not tell us if the package was altered or crafted by a malicious entity (as they would need Seafile’s private key to do this).

It was not signed with Seafiles key before, but a generic one from bintray. If anyone else would have uploaded something it would also have had a valid signature automatically.


From my point of view a sha256 checksum would be useful to reliably check the files integrity.

To have a significant improvement using GPG - which most users cannot use anyway (as it’s too complicated) - it would require Seafile Ltd. to create a private key and to keep it private, which is harder than one could think in the first place. So I don’t think it’s worth the time keeping in mind that most users won’t verify a GPG signature anyway.

Nah… come on. People learned how to set up a Seafile server and in same way they will learn how to verify signatures. :wink:

No he said that, if they invest their time to get GPG working(every update), then only small % of users will use it …

Right, maybe I misunterstood his point. Anyway: in same way I could say “people have no interest in using a private cloud because there is Dropbox/Google Drive/OneDrive”.

Offering signatures is a part of a serious software distribution process in my opinion. So even if only 1% of all Seafile server users would use it it would be worth to offer it.


+1 totally agree!