MKVToolNix logo MKVToolNix – Matroska tools for Linux/Unix and Windows

Authenticity

Introduction

There are several ways in which I prove the authenticity for the source code and the binaries I provide.

Source code

The source code archives for MKVToolNix are signed with my GPG key (to be more precise: with sub-key ID 0x74AF00AD F2E32C85, fingerprint 3301 A29D 88D0 1A0C F999 954F 74AF 00AD F2E3 2C85, of key ID 0x0F92290A 445B9007, fingerprint D919 9745 B054 5F2E 8197 062B 0F92 290A 445B 9007). The signature’s file name is the tarball’s file name with .sig appended (e.g. mkvtoolnix-19.0.0.tar.xz.sig for the archive mkvtoolnix-19.0.0.tar.xz). Both files are stored in the same directory.

The same key is used for signing Debian/Ubuntu APT repositories and for e-mail communication.

Debian/Ubuntu APT repositories

For Debian & Ubuntu the DEB packages themselves are normally not signed, but the APT repositories they're located in are. I'm following the same approach.

All of my Debian & Ubuntu APT repositories are signed with my GPG key (to be more precise: with sub-key ID 0x74AF00AD F2E32C85, fingerprint 3301 A29D 88D0 1A0C F999 954F 74AF 00AD F2E3 2C85, of key ID 0x0F92290A 445B9007, fingerprint D919 9745 B054 5F2E 8197 062B 0F92 290A 445B 9007).

The same key is used for signing the source code archives and for e-mail communication.

RPM packages for Fedora/CentOS/openSUSE

All of my RPM packages for Fedora, CentOS and openSUSE are signed with my RPM signing GPG key (to be more precise: key ID 0x16D2F5DC 10C052A6, fingerprint EB24 BCA1 4BA6 A24F 1427 6FEE 16D2 F5DC 10C0 52A6).

This is a different key than the one used for signing the Debian/Ubuntu APT repositories and for e-mail communication as the RPM binary itself doesn't support the use of sub-keys.

Windows binaries

All of my Windows binaries (both the programs themselves and the installer) are signed with a code-signing certificate. Which one was used, depends on the release:

  • Starting with version 20.0.0 all releases will be signed by the following certificate signed by the COMODO CA:
    • Subject: C = DE, postalCode = 38118, ST = Niedersachsen, L = Braunschweig, street = Cyriaksring 10a, postOfficeBox = 38118, O = LINET Services GmbH, CN = LINET Services GmbH
    • SHA-1 fingerprint: 0F:D7:AF:05:85:AB:0F:7D:10:2A:24:A6:95:5A:58:83:76:A1:4E:33
    • Download certificate
  • Starting with version 8.9.0 up to and including version 19.0.0 all releases were signed by the following certificate signed by the StartSSL CA:
    • Subject: C = DE, ST = Niedersachsen, L = Braunschweig, O = Moritz Bunkus, CN = Moritz Bunkus
    • SHA-1 fingerprint: 48:13:1B:5D:41:63:12:07:D2:86:20:6C:28:F3:78:C8:06:6F:34:AA
    • Download certificate
  • Releases before version 8.9.0 were not signed.

macOS binaries and disk image

My macOS binaries (both the applications themselves and the disk image) are signed with the following certificate signed by Apple's CA:

  • Subject: UID = YZ9DVS8D8C, CN = Developer ID Application: Moritz Bunkus (YZ9DVS8D8C), OU = YZ9DVS8D8C, O = Moritz Bunkus, C = US
  • SHA-1 fingerprint: 58:B4:A5:55:42:D0:9A:CB:C4:C2:08:A2:55:C4:06:E7:78:1D:C8:33
  • Download certificate

E-mail communication

I'm using GPG/PGP for encrypted e-mail communication. Here's my GPG key (to be more precise: sub-key ID 0x74AF00AD F2E32C85, fingerprint 3301 A29D 88D0 1A0C F999 954F 74AF 00AD F2E3 2C85, of key ID 0x0F92290A 445B9007, fingerprint D919 9745 B054 5F2E 8197 062B 0F92 290A 445B 9007).

The same key is used for signing Debian/Ubuntu APT repositories and Fedora/CentOS/openSUSE packages.

© 2002 – 2018 Moritz Bunkus   |   Imprint/Impressum (German)   |   Data Protection/Datenschutz (German)