How to confirm that the downloaded installer is genuine and unmodified.
A GPG signature lets you confirm that the installer came directly from vibepn.app and was not modified in transit (MITM attack, tampered mirror). The signature does not guarantee the absence of bugs — it only guarantees file integrity.
Fingerprint: DFB9 854D DEFB 70D5 0FBF 5D28 0B60 9680 778A 7AF5
Download the public key: vibepn.app/pubkey.asc
Import it into your GPG keyring:
curl -sL https://vibepn.app/pubkey.asc | gpg --import
Verify the fingerprint after import:
gpg --fingerprint vibepn # or gpg --list-keys 778A7AF5
The output should contain: DFB9 854D DEFB 70D5 0FBF 5D28 0B60 9680 778A 7AF5
Download the .deb or .rpm and the corresponding .asc file from the downloads page, then:
# Example for .deb gpg --verify VibePN_0.1.1_amd64.deb.asc VibePN_0.1.1_amd64.deb # Example for .rpm gpg --verify VibePN-0.1.1-1.x86_64.rpm.asc VibePN-0.1.1-1.x86_64.rpm
Expected output:
gpg: Signature made ... gpg: using EDDSA key DFB9854DDEFB70D50FBF5D280B609680778A7AF5 gpg: Good signature from "VibePN Releases ..."
Good signature means the file is authentic. A "key is not certified with a trusted signature" warning is normal — it just means you haven't marked the key as trusted in your keyring.
Option 1 — Gpg4win (GUI):
DFB9 854D DEFB 70D5 0FBF 5D28 0B60 9680 778A 7AF5Option 2 — command line (after installing Gpg4win):
# In PowerShell or cmd gpg --verify VibePN_0.1.1_x64-setup.exe.asc VibePN_0.1.1_x64-setup.exe
.asc files are linked directly from the downloads page — there's a link next to each installer.
If you only want to verify file integrity without GPG:
# Linux / macOS sha256sum VibePN_0.1.1_amd64.deb # Windows (PowerShell) Get-FileHash VibePN_0.1.1_x64-setup.exe -Algorithm SHA256
Compare the result with the hashes shown on the downloads page.