Verifying Releases
Each package is published with information that help confirm it was downloaded correctly and was published by the MyBB Team. Learn how to verify the integrity and authenticity of MyBB packages.
Latest Version Information
Guarantee of latest updates
Make sure to obtain the software packages from official sources. The Download page always shows the most recent available version, and the MyBB Blog contains official announcements related to the Project.
You can get notified of updates by:
- subscribing to the MyBB Blog (Releases RSS feed, Security RSS feed),
- following @[email protected] on Mastodon (all releases),
- following @mybbsecurity on Twitter (security-related releases),
- following @mybb on Twitter (all releases),
- checking for updates in your Admin Control Panel’s Home.
Links to latest Release Blog Posts are also pinned in the #18-support
channel on our Discord server.
Additionally, we recommend subscribing to used plugins and themes on the Extend section to get notified of extension updates.
Checksums
Integrity of downloaded packages
Checksums are short chunks of text which can verify that files were downloaded correctly. MyBB publishes checksums generated by SHA-512
, SHA-256
, SHA-1
and MD5
hash algorithms (strongest to weakest — checking SHA-512
is recommended).
After downloading the package, its checksum should be compared to the one that was published.
-
Linux — Terminal
sha512sum filename.zip
-
Mac OS X — Terminal
shasum --algorithm 512 filename.zip
-
Windows — Command Prompt
CertUtil -hashfile filename.zip SHA512
-
Windows — PowerShell
Get-FileHash filename.zip -Algorithm SHA512 | Format-List
Reproducibility
Tracing the packaging process
Distributed packages (mybb_*.zip
, changed_files_*.zip
) can be reproduced using:
- the build script, and
build_*.zip
archives on the Releases page on GitHub, which include input for the script (input/
):- references to the MyBB source code repository at a specific state to pull the code from,
- security patches (
.diff
format), - metadata.
The generated packages (output/
) should be binary-identical to published packages.