The Debian repositories on are signed, and most of the other download files are checksummed and signed. The following describes how to download and set up the public keys, and how they are used.

The first section 'Quick' if you are in a hurry or not interested by the details. See 'More details' further on for other explanations.

Quick: installing the keys into the 'apt' keyring

The first step is to download my public key from this server or from the sks key servers.

Either download from

Download the public key from this server, then import it into your keyring:

gpg --import ~/Downloads/

Or use the sks key servers

You may need to install the 'dirmngr' package which is the utility which lets gpg access the key servers:

sudo apt install dirmngr

Get the lesbonscomptes repository public key from the keyservers:

gpg --keyserver --recv-key F8E3347256922A8AE767605B7808CE96D38B9201

In both cases, add the public key to the 'apt' keyring

gpg --export '7808CE96D38B9201' | sudo apt-key add -

File checksums

Most distribution files (tar, zip, setup…​) have associated sha256 checksum files. This allows checking that the files are not corrupted by copying or transmission.

E.g, after downloading recoll-1.21.5.tar.gz, and recoll-1.21.5.tar.gz.sha256, you can run the following to verify the file integrity:

sha256sum recoll-1.21.5.tar.gz > mynewchecksum
diff mynewchecksum recoll-1.21.5.tar.gz.sha256

Using gpg, you can verify the file integrity and origin - it was signed by me - in one step:

gpg upmpdcli-1.1.3.tar.gz.asc
gpg: assuming signed data in `upmpdcli-1.1.3.tar.gz'
gpg: Signature made lun. 13 mars 2017 16:27:20 CET
gpg:                using RSA key 0x7808CE96D38B9201
gpg: Good signature from "Jean-Francois Dockes <>" [ultimate]
gpg:                 aka "Jean-Francois Dockes <>" [ultimate]
Primary key fingerprint: F8E3 3472 5692 2A8A E767  605B 7808 CE96 D38B 9201

More details about the signatures

The download files have detached gpg signatures (same file name, with '.asc' added). These provide a slight amount of security against tampering on the WEB server, (very slight because the keys are currently self-signed).

The public keys are also stored on an independant web site (different hosting provider, passwords, etc), you can cut/paste them from:

This is also unsecure because you don’t know that I (J.F. Dockes) set up the site. Still, it’s an additional element which an attacker would need to control.

I have been using two keys to sign the files, an older, not used any more, and a current, more secure, one.

The older key (1024 bits) is supposed to be a bit short which is why it is not used any more:

pub   1024D/0x32D9C2A835ED066C 2009-10-18 [expires: 2017-02-21]
      Key fingerprint = 4C6E 80B6 374D CD5F 53AB  706A 32D9 C2A8 35ED 066C
uid                 [ultimate] Jean-Francois Dockes <>
sub   2048g/0xF93B49FFEB13BE77 2009-10-18

The newer key is signed with the old one:

pub   4096R/0x7808CE96D38B9201 2016-02-21 [expires: 2017-02-20]
      Key fingerprint = F8E3 3472 5692 2A8A E767  605B 7808 CE96 D38B 9201
uid                 [ultimate] Jean-Francois Dockes <>
uid                 [ultimate] Jean-Francois Dockes <>
sub   4096R/0x45C4053F9AA984A2 2016-02-21 [expires: 2017-02-20]

You can receive the key from the keyservers using:

gpg --recv-key '4C6E 80B6 374D CD5F 53AB 706A 32D9 C2A8 35ED 066C'
gpg --recv-key 'F8E3 3472 5692 2A8A E767 605B 7808 CE96 D38B 9201'

You can then check the signature on any file by downloading the parallel .asc file and using, e.g.:

gpg --verify some-tar-file.tar.gz.asc

Apt repositories

The apt repositories are also signed. Only the newer key should be needed.

Once the key has been received in your gpg keyring, you can add them to the apt key ring as follows:

gpg --export '7808CE96D38B9201' | sudo apt-key add -