Verifying CLI standalone binaries

You can verify both the shasum of downloaded binaries and their GPG signatures.

The download location on downloads.snyk.io contains a file called sha256sums.txt.asc. You can download it directly: https://downloads.snyk.io/cli/stable/sha256sums.txt.asc or for a specific version like https://downloads.snyk.io/cli/v1.666.0/sha256sums.txt.asc.

To check that a downloaded file matches the checksum, use a sha256sum command, for example:

grep snyk-macos sha256sums.txt.asc | sha256sum -c -

If you want to verify Snyk CLI standalone binaries against the Snyk CLI GPG key, first import the GPG key:

# 467717A30B2B4658415975629691DA64D0025194 is the key belonging to [email protected]
# Copy of this public key is also in this repository /help/_about-this-project/snyk-code-signing-public.pgp
gpg --keyserver hkps://keys.openpgp.org --recv-keys A22665FB96CAB0E0973604C83676C4B8289C296E

Then verify the file is signed with:

gpg --verify sha256sums.txt.asc

The command output should look like the following:

gpg: Signature made So  8 Jan 14:11:44 2025 CET
gpg:                using EDDSA key 467717A30B2B4658415975629691DA64D0025194
gpg: Good signature from "Snyk Limited <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4677 17A3 0B2B 4658 4159  7562 9691 DA64 D002 5194

PreviousInstall or update the Snyk CLI NextInstalling Snyk CLI as a binary via npm

Last updated 5 months ago

Was this helpful?