Signing Code / Releases

Be Sure You’re Getting the Real Thing

If you’re planning to build your own version of NeoMutt, it’s important to check that the source hasn’t been tampered with.

All release commits in Git are signed and all GitHub downloads come with a SHA256 CHECKSUM file.


The NeoMutt signing key is:

  • 86C2397270DD7A561263CA4E5FAF0A6EE7371805
  • Richard Russon (NeoMutt)

This key is available on keyservers:

gpg --search-keys neomutt
gpg: data source:
(1)     Richard Russon (NeoMutt) <>
          4096 bit RSA key 5FAF0A6EE7371805, created: 2016-04-08, expires: 2021-04-09
Keys 1-1 of 1 for "neomutt".  Enter number(s), N)ext, or Q)uit >

Git example

Note: On the GitHub releases page, all releases should display a “Verified” tag. This confirms that the release matches the NeoMutt signing key.

git clone
cd neomutt
git tag -v 20191111
object b39b9b4bf3181a653b1186af98fd724be31d7cb9
type commit
tag 20191111
tagger Richard Russon <> 1573435069 +0000

NeoMutt release 2019-11-11
gpg: Signature made Mon 11 Nov 2019 01:17:49 GMT
gpg:                using RSA key 86C2397270DD7A561263CA4E5FAF0A6EE7371805
gpg:                issuer ""
gpg: Good signature from "Richard Russon (NeoMutt) <>" [ultimate]
git checkout -b 20191111
# build

Source example

Download a source package and the CHECKSUM file from the release page


gpg --verify 20191111-CHECKSUM
gpg: Signature made Sun 30 Apr 2017 23:39:42 BST using RSA key ID 5FAF0A6EE7371805
gpg: Good signature from "Richard Russon (NeoMutt) <>" [full]
sha256sum -c 20191111-CHECKSUM
20191111.tar.gz: OK
# extract source
# build

Search by Algolia