General

The WebJob Project uses GNU Privacy Guard (GnuPG) to sign distribution checksum files. GnuPG is an OpenPGP compliant application.

By signing distribution checksums, The WebJob Project asserts that each MD5 digest contained in a given checksum file is accurate and uncorrupt. Therefore, if you are able to verify the GnuPG signature and all MD5 checksums, then you have probably downloaded the distribution we intended for you to receive.

This, of course, assumes that the distribution files, including the .sig file, have not been compromised. While it is unlikely that the .sig file could be altered by an attacker, it could be replaced either in-transit to SourceForge's ftp server or once it's there. Unless you personally know who the signer is and have verified his or her key, you can't really conclude much.

It's important to understand that our signature on a checksum file does not assert anything about the content contained within the corresponding distribution file. Signing distribution files can be misleading because it implies that their content is somehow devoid of anything that might be harmful. However, even with best intentions and practices, distribution files can fall victim to maleficence.

Key Information

The key used to sign WebJob distributions is available here. This key belongs to Klayton Monroe and should have the following ID and fingerprint:

ID = 4D86DBFC, Fingerprint = 6D3B 1DBC F426 36E4 7C9A  FA93 9A5D D62D 4D86 DBFC

Warning: Don't implicitly trust the information provided here to validate the signer's key.