Skip to content

Verifying OTP release integrity

All stable OTP releases are cryptographically signed, to allow you to verify the integrity if you choose to.

Releases are signed with Signify, with the public key in the main repository

Release URLs will always be of the form{branch}/akkoma-{flavour}.zip

Where branch is usually stable and flavour is the one that you detect on install.

So, for an AMD64 stable install, your update URL will be

To verify the integrity of this file, we have two helper files

# Checksums{branch}/akkoma-{flavour}.zip.sha256

# Signify signature of the hashes{branch}/akkoma-{flavour}.zip.sha256.sig

Thus, to upgrade manually, with integrity checking, consider the following script:

set -eo pipefail

export FLAVOUR=amd64
export BRANCH=stable

# Fetch signing key
curl --silent$BRANCH/ -o

# Download zip file and sig files
wget -q$BRANCH/akkoma-$FLAVOUR{.zip,.zip.sha256,.zip.sha256.sig}

# Verify zip file's sha256 integrity
sha256sum --check akkoma-$

# Verify hash file's integrity
# Signify might be under the `signify` command, depending on your distribution
signify-openbsd -V -p -m akkoma-$

# We're good, use that URL
echo "Update URL contents verified"
echo "use"
echo "./bin/pleroma_ctl update --zip-url$BRANCH/akkoma-$FLAVOUR"
echo "to update your instance"

# Clean up
rm akkoma-$
rm akkoma-$
rm akkoma-$