New releases of NeoMutt will be signed with my GPG key:

    Richard Russon (NeoMutt) <rich@flatcap.org>

    Fingerprint: 86C2 3972 70DD 7A56 1263 CA4E 5FAF 0A6E E737 1805

This guarantees that any bugs you find are my fault :-)

Getting My Key

You can retrieve my key from a public keyserver, using the command:

gpg2 --recv-keys E7371805

Unless you meet me, in person, and verify my identity, you should not trust this key. If you’re planning a keysigning party anywhere near Oxford, England, let me know.

Checking Downloads

If you download the source, or patches, you can now verify them. First, check the signature on the CHECKSUM file:

gpg2 --verify neomutt-20160404-CHECKSUM.txt

You will see something like:

gpg: Signature made Fri 08 Apr 2016 16:51:31 BST using RSA key ID E7371805
gpg: Good signature from "Richard Russon (NeoMutt) <rich@flatcap.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 86C2 3972 70DD 7A56 1263  CA4E 5FAF 0A6E E737 1805

Next, check the downloads’ checksums.

sha256sum -c neomutt-20160404-CHECKSUM.txt

Hopefully, you will see something like:

neomutt-20160404.tar.gz: OK
neomutt-20160404.zip: OK
neomutt-patches-20160404.tar.gz: OK

Checking Git Tags

You can use git to download and verify the source. Below, we clone the source, checking-out the “neomutt-20160404” branch. Then we verify that the tag is signed.

git clone -b neomutt-20160404 https://github.com/neomutt/neomutt.git
cd neomutt
git verify-tag neomutt-20160404

Again, you will see something like:

gpg: Signature made Fri 08 Apr 2016 15:07:39 BST using RSA key ID E7371805
gpg: Good signature from "Richard Russon (NeoMutt) <rich@flatcap.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 86C2 3972 70DD 7A56 1263  CA4E 5FAF 0A6E E737 1805