Verifying TeX Live files signed with GPG

This page discusses how to verify the TeX Live GPG (GnuPG) signature for a downloaded file, such as install-tl-unx.tar.gz or install-tl-windows.exe.

Let's call the file you want to check tlfile. Typically, tlfile will be one of install-tl-unx.tar.gz or install-tl-windows.exe or install-tl.zip (installation from the net) or texlive.iso (installation from ISO) or variations thereof.

Besides tlfile itself, you'll need to download companion files with extensions .sha512 and .sha512.asc (the former is a checksum, the latter is the signature for the checksum). Any download method to save the files will do; here we use wget: 

wget https://mirror.ctan.org/systems/texlive/tlnet/tlfile
wget https://mirror.ctan.org/systems/texlive/tlnet/tlfile.sha512
wget https://mirror.ctan.org/systems/texlive/tlnet/tlfile.sha512.asc
  1. Check the sha512 checksum for tlfile:
    sha512sum --check tlfile.sha512
    This should return:
    tlfile: OK

  2. Create a temporary directory, for example (adjust shell syntax as needed):
    MYTEMP=`mktemp -d`
    This is to avoid changing your existing gpg setup in any way; you can skip this (and omit the --homedir "$MYTEMP" from the following invocations) if you'd rather use your existing setup.

  3. Import the TeX Live signing key. The best practice would be to import this from a public key server, not download from tug.org (just in case tug.org is compromised):
    TLKEYID=0D5E5D9106BAB6BC
    gpg --recv-key --keyserver hkps://keyserver/ $TLKEYID
    where keyserver is one of “keys.openpgp.org” or “keyserver.ubuntu.com” (choose one at random). At this writing, we are not aware of any other working key servers. N.B.: You must give an hkps: url, not http(s).

    For completeness, you can also download the key from tug.org and import it manually:
    wget https://tug.org/texlive/files/texlive.asc
    gpg --homedir "$MYTEMP" --import texlive.asc

  4. Verify the signature:
    gpg --homedir "$MYTEMP" --verify tlfile.sha512.asc tlfile.sha512
    This should return output similar to the following: 
    gpg: Signature made Sun Jan 12 09:51:09 2025 JST
gpg:                using RSA key D8F2F86057A857E42A88106A4CE1877E19438C70
gpg: Good signature from "TeX Live Distribution " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C78B 82D8 C795 12F7 9CC0  D7C8 0D5E 5D91 06BA B6BC
     Subkey fingerprint: D8F2 F860 57A8 57E4 2A88  106A 4CE1 877E 1943 8C70

    If so, that is the verification (“good signature”). The warning about “not certified” happens because the tex-live key is in turn signed by Norbert and Karl, so unless you've added their keys to your public keyring, it won't be in your web of trust.

  5. You may want to remove the temporary directory for cleanliness:
    rm -rf $MYTEMP

Nelson Beebe has provided a page with more detailed verification procedures and information.

Feel free to write the tex-live@tug.org mailing list if questions or problems about this.

$Date: 2025/01/18 22:37:07 $; TeX Live; TUG home page; join TUG/renew membership; webmaster; facebook; x; mastodon.