All tagged ZFS on Linux releases are signed by the official maintainer for that branch. These signatures are automatically verified by GitHub and can be checked locally by downloading the maintainers public key.
Release branch (spl/zfs-*-release)¶
Checking the Signature of a Git Tag¶
First import the public key listed above in to your key ring.
$ gpg --keyserver pgp.mit.edu --recv C6AF658B gpg: requesting key C6AF658B from hkp server pgp.mit.edu gpg: key C6AF658B: "Brian Behlendorf <email@example.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
After the public key is imported the signature of a git tag can be verified as shown.
$ git tag --verify zfs-0.6.5 object 7a27ad00ae142b38d4aef8cc0af7a72b4c0e44fe type commit tag zfs-0.6.5 tagger Brian Behlendorf <firstname.lastname@example.org> 1441996302 -0700 ZFS Version 0.6.5 gpg: Signature made Fri 11 Sep 2015 11:31:42 AM PDT using DSA key ID C6AF658B gpg: Good signature from "Brian Behlendorf <email@example.com>" gpg: aka "Brian Behlendorf (LLNL) <firstname.lastname@example.org>"