Blue Static products are signed with a digital
signature, so that you can verify the contents of
a download. This provides an additional level of security, in addition to accessing the site over
Starting in 2019, some software is signed with an an Ed25519 key.
Unfortunately, most tools like OpenSSL do not yet support signature operations with such keys. With
the upcoming OpenSSL 3.0, it is possible:
openssl pkeyutl -verify -pubin -inkey ed25519_pub.pem -sigfile file.zip.ed25519.sig -rawin -in file.zip
The Ed25519 key is used because Sparkle requires it.
Software may also be signed with the original DSA key. Both signatures may be
provided on downloads, because the tooling for Ed25519 is not mature enough yet.
To verify a download package’s DSA with OpenSSL:
openssl dgst -sha512 -verify dsa_pub.pem -signature file.zip.sha512dsa.sig file.zip
To verify the transition from DSA to Ed25519, this is a signed SHA-256 digest of
the Ed25519 public key file (above) by the DSA private key: