Verifying Releases

Each package is published with information that help confirm it was downloaded correctly and was published by the MyBB Team. Learn how to verify the integrity and authenticity of MyBB packages.

Latest Version Information

Guarantee of latest updates

Make sure to obtain the software packages from official sources. The Download page always shows the most recent available version and the MyBB Blog contains official announcements related to the Project.

You can get notified of updates by:

Links to latest Release Blog Posts are also pinned in the #18-support channel on our Discord server.

Additionally, we recommend subscribing to used plugins and themes on the Extend section to get notified of extension updates.

Checksums

Integrity of downloaded packages

Checksums are short chunks of text which can verify that files were downloaded correctly. MyBB publishes checksums generated by SHA-512, SHA-256, SHA-1 and MD5 hash algorithms (strongest to weakest — checking SHA-512 is recommended).

After downloading the package, its checksum should be compared to the one that was published.

  • Linux — Terminal

    sha512sum filename.zip
    
  • Mac OS X — Terminal

    shasum --algorithm 512 filename.zip
    
  • Windows — Command Prompt

    CertUtil -hashfile filename.zip SHA512
    
  • Windows — PowerShell

    Get-FileHash filename.zip -Algorithm SHA512 | Format-List
    

Signatures

Integrity & Authenticity of downloaded packages

Digital signatures, when checked against public keys, show whether certain data was signed using private keys owned by developers, thus allowing to verify the authenticity of published packages. Make sure your system has GnuPG installed (version 2.1 or higher is recommended) to be able to use the commands below.

  1. Fetch the list of public keys used to sign official releases from https://mybb.com/download/keys/raw and import them:

    gpg --import KEYS
    
  2. Verify the signature of the downloaded file:

    • gpg --verify filename.zip.asc

      where filename.zip.asc is a file containing signatures for filename.zip.

    • Alternatively, you can use

      gpg --verify - filename.zip
      

      to have GnuPG check the signature of filename.zip that will be pasted into the Terminal/Command Prompt (stdin).

      Once pasted, press Ctrl + D (^D) and Enter on Linux, or Ctrl + Z (^Z) and Enter on Windows.

Key verification

All code signing keys are maintained in accordance with the Project’s Package Signing Protocol:

  • signatures from keys listed on mybb.com/download/keys/:
    • with CODE SIGNING KEY as the key’s comment,
    • active and belonging to Team members at the time of release,
  • each key must have a corresponding ADDING... announcement with its fingerprint and owner’s username on twitter.com/mybbsecurity,
  • each key must not have a corresponding REMOVING... announcement with its fingerprint on twitter.com/mybbsecurity,
  • each key must have been added at least 14 days before it was used for signing,
  • each key must be signed by its owner with a key listed on mybb.com/about/team/,
  • each key must be signed by a current member of the Management Team or a current team Leader, other than the key’s owner, listed on mybb.com/about/team/.

Note that the keys file is updated with revoked signatures whenever keys are removed.