All current OpenVPN (OSS) source packages and Windows installers have been signed with the Security mailing list GPG key:
- Fingerprint F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7
If you have intentionally downloaded an old version of OpenVPN and the signature does not match with this key, please read this article really carefully.
Verifying file signatures
Signature verification can be performed by PGP or GnuPG once you have the correct key in your trusted keyring. To do this you can obtain the correct key file, like for example our security mailing list GPG key mentioned above, and importing it:
wget -O security-openvpn-net.asc https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 gpg --import security-openvpn-net.asc
Now you can download the open source installer file or tarball you wish to check, along with its signature file, and have them in the same location. Then you can run a verification with the signature file belonging to the downloaded file you want to check:
gpg [.asc file]
Make sure you have the corresponding OpenVPN package in the same directory. The GnuPG signature files for the OpenVPN file releases are available on the download page right next to the download button. If the verification succeeds you should see some message like this somewhere in the output:
gpg: Good signature from "OpenVPN - Security Mailing List <email@example.com>"