Official AKADATA documentation · v0.0.5
Verification
Verify the v0.0.5 archive, published SHA-256 digest and canonical signed wordlist against the expected AKADATA signing key.
What the checks prove
OpenPGP proves AKADATA release authenticity. A valid signature confirms that the exact file was signed by the private key corresponding to the expected AKADATA public-key fingerprint. It also detects any change made after signing.
SHA-256 proves file integrity against the published digest. It confirms that the archive bytes match the checksum file. The checksum becomes authenticity evidence only when that checksum is obtained through the trusted signed release context.
Use both checks: the checksum is a quick byte-integrity test, while OpenPGP binds the release to the expected signing key.
1. Verify the release archive signature
Download the archive and detached .asc signature into the same directory, then run:
gpg --verify aip-56-v0.0.5.tar.gz.asc aip-56-v0.0.5.tar.gz2. Verify the SHA-256 checksum
Keep the checksum file beside the archive and ask sha256sum to compare the published digest with the local bytes:
sha256sum -c aip-56-v0.0.5.tar.gz.sha2563. Verify the canonical wordlist
The signed wordlist.json is the canonical wordlist source. Every reference implementation embeds this canonical data as compressed chunks and reconstructs the canonical JSON for verification. Verify its detached signature independently:
gpg --verify wordlist.json.sig wordlist.jsonThe canonical wordlist.json has this SHA-256. The PHP implementation reconstructs the same canonical JSON byte-for-byte, producing this exact digest:
ea0be8d452c422f154358b386c0c5bfc1f4e8e0670f9cd4ddf1a662cb3c96ec8Expected signing identity
Confirm that gpg reports this full fingerprint rather than relying on a short key identifier:
7915B0831DF20BAFF4218F347D88C5B374E65D90
Andrew Smalley <andrew.smalley@akadata.ltd>