Official AKADATA documentation · v0.0.5

Verification

Verify the v0.0.5 archive, published SHA-256 digest and canonical signed wordlist against the expected AKADATA signing key.

What the checks prove

OpenPGP proves AKADATA release authenticity. A valid signature confirms that the exact file was signed by the private key corresponding to the expected AKADATA public-key fingerprint. It also detects any change made after signing.

SHA-256 proves file integrity against the published digest. It confirms that the archive bytes match the checksum file. The checksum becomes authenticity evidence only when that checksum is obtained through the trusted signed release context.

Use both checks: the checksum is a quick byte-integrity test, while OpenPGP binds the release to the expected signing key.

1. Verify the release archive signature

Download the archive and detached .asc signature into the same directory, then run:

gpg --verify aip-56-v0.0.5.tar.gz.asc aip-56-v0.0.5.tar.gz

2. Verify the SHA-256 checksum

Keep the checksum file beside the archive and ask sha256sum to compare the published digest with the local bytes:

sha256sum -c aip-56-v0.0.5.tar.gz.sha256

3. Verify the canonical wordlist

The signed wordlist.json is the canonical wordlist source. Every reference implementation embeds this canonical data as compressed chunks and reconstructs the canonical JSON for verification. Verify its detached signature independently:

gpg --verify wordlist.json.sig wordlist.json

The canonical wordlist.json has this SHA-256. The PHP implementation reconstructs the same canonical JSON byte-for-byte, producing this exact digest:

ea0be8d452c422f154358b386c0c5bfc1f4e8e0670f9cd4ddf1a662cb3c96ec8

Expected signing identity

Confirm that gpg reports this full fingerprint rather than relying on a short key identifier:

7915B0831DF20BAFF4218F347D88C5B374E65D90
Andrew Smalley <andrew.smalley@akadata.ltd>