Eddie - VPN Tunnel

How to verify Eddie downloads with OpenPGP (GPG) signatures

We sign every release file with OpenPGP. Verifying the signature ensures the file was not modified in transit and comes from us. This page explains how to verify the signature on Windows, macOS, and Linux.

1. Install GnuPG (GPG)

You need GnuPG installed. If it is not already there, install it as follows.

Windows

Download and install Gpg4win from gpg4win.org. During setup you can leave default options. After installation, open Command Prompt or PowerShell and run:

gpg --version

If you see version information, GnuPG is ready.

macOS

Install via Homebrew (if you use it):

brew install gnupg

Or download GPG Suite from gpgtools.org. Then open Terminal and run:

gpg --version

Linux

Install the gnupg package. Examples:

# Debian / Ubuntu
sudo apt install gnupg

# Fedora / RHEL
sudo dnf install gnupg2

# Arch
sudo pacman -S gnupg

Then run gpg --version to confirm.

2. Import our public key

You only need to do this once (or again if we rotate the key). We publish our release signing key; you import it so GPG can verify our signatures.

From a key file (recommended)

Download our public key file from the website (e.g. eddie-release.asc). In a terminal or command prompt, go to the folder where you saved it and run:

gpg --import eddie-release.asc

Replace eddie-release.asc with the actual filename if different.

From a keyserver

We publish the key on public keyservers. Replace KEYID with our key ID (you will find it on the download page or in the signature verification output):

gpg --keyserver keys.openpgp.org --recv-keys KEYID

Or:

gpg --keyserver keyserver.ubuntu.com --recv-keys KEYID

3. Download the package and its signature

From the download page, download both:

• The release file (e.g. Eddie-2.18.4-windows-x64.exe, or the .zip, .dmg, .pkg, .tar.gz for your platform).
• The signature file: click the link that downloads the .asc file for the same release (same name with .asc at the end).

Save both files in the same folder (e.g. your Downloads folder).

4. Verify the signature

Open a terminal (or Command Prompt / PowerShell on Windows) and change to the folder where you saved the two files. Then run:

gpg --verify filename.asc filename

Use the real file names. The .asc file is the signature; the other is the package. Examples:

Windows (PowerShell or Command Prompt)

Example if the package is Eddie-2.18.4-windows-x64.exe and both files are in Downloads:

cd %USERPROFILE%\Downloads
gpg --verify Eddie-2.18.4-windows-x64.exe.asc Eddie-2.18.4-windows-x64.exe

macOS (Terminal)

Example if the package is Eddie-2.18.4-macos-x64.dmg in your Downloads folder:

cd ~/Downloads
gpg --verify Eddie-2.18.4-macos-x64.dmg.asc Eddie-2.18.4-macos-x64.dmg

Linux (terminal)

Example if the package is eddie-cli_2.18.4_linux_x64_portable.tar.gz:

cd ~/Downloads
gpg --verify eddie-cli_2.18.4_linux_x64_portable.tar.gz.asc eddie-cli_2.18.4_linux_x64_portable.tar.gz

5. What the result means

Good signature

You should see a line like:

gpg: Good signature from "Eddie <maintainer@eddie.website>"

There may be a warning that the key is not certified with a trusted signature; that is normal if you have not marked our key as ultimately trusted. The important part is Good signature. You can then install or use the downloaded file.

Bad signature or tampering

If you see BAD signature, do not use the file. Delete it and download again from the official site; if it still fails, contact support.

Missing public key

If GPG says it cannot verify because no public key was found, import our public key (see step 2). The message will include the key ID; you can import that key from a keyserver or from our key file.

Eddie is developed by and is the official client of AirVPN, an OpenVPN and WireGuard based VPN operated by activists in defense of net neutrality, privacy and against censorship.