Latest Version Information
Guarantee of latest updates
Make sure to obtain the software packages from official sources. The Download page always shows the most recent available version and the MyBB Blog contains official announcements related to the Project.
You can get notified of updates by:
- subscribing to the MyBB Blog,
- following @mybbsecurity on Twitter (security-related releases),
- following @mybb on Twitter (all releases),
- checking for updates in your Admin Control Panel’s Home.
Links to latest Release Blog Posts are also pinned in the
#18-support channel on our Discord server.
Additionally, we recommend subscribing to used plugins and themes on the Extend section to get notified of extension updates.
Integrity of downloaded packages
Checksums are short chunks of text which can verify that files were downloaded correctly. MyBB publishes checksums generated by
MD5 hash algorithms (strongest to weakest — checking
SHA-512 is recommended).
After downloading the package, its checksum should be compared to the one that was published.
Linux — Terminal
Mac OS X — Terminal
shasum --algorithm 512 filename.zip
Windows — Command Prompt
CertUtil -hashfile filename.zip SHA512
Windows — PowerShell
Get-FileHash filename.zip -Algorithm SHA512 | Format-List
Integrity & Authenticity of downloaded packages
Digital signatures, when checked against public keys, show whether certain data was signed using private keys owned by developers, thus allowing to verify the authenticity of published packages. Make sure your system has GnuPG installed (version 2.1 or higher is recommended) to be able to use the commands below.
Fetch the list of MyBB Signing Keys used to sign official releases and import them:
curl https://mybb.com/download/keys/raw.txt | gpg --import
You can also download the above URL manually and import it with
gpg --import raw.txt.
Verify the signature of the downloaded file:
gpg --verify filename.zip.asc
where filename.zip.asc is a file containing signatures for filename.zip.
Alternatively, you can use
gpg --verify - filename.zip
to have GnuPG check the signature of filename.zip that will be pasted into the Terminal/Command Prompt (stdin).
Once pasted, press Ctrl + D (
^D) and Enter on Linux, or Ctrl + Z (
^Z) and Enter on Windows.
All code signing keys are maintained in accordance with the Project’s MyBB Signing Keys Protocol. Each key:
- is listed on mybb.com/download/keys/,
- contains a comment
CODE SIGNING KEY,
- is active and belongs to a Team member at the time of release,
- has a corresponding
Adding...announcement with its fingerprint on twitter.com/mybbsecurity,
- does not have a corresponding
Removing...announcement with its fingerprint on twitter.com/mybbsecurity,
- has been added at least 14 days before the signing date,
- is signed by its owner with a key listed on mybb.com/about/team/,
- is signed by a current Role Leader, other than the key’s owner, listed on mybb.com/about/team/.
Note that the keys file is updated with revoked keys and new signatures when changes occur.