Make sure to check your download:
GnuPG Public Key
Starting with OpenVPN 1.5.0, all file releases were signed by James Yonan (OpenVPN project founder and maintainer). Later, when OpenVPN 2.3_alpha2 was released, the signer was changed to Samuli Seppänen, the community manager of OpenVPN Technologies, Inc. In addition Debian/RPM packages are signed with yet another key.To verify the file signatures, you need to add the signer’s public key to your trusted PGP/GnuPG keyring:
- James Yonan’s PGP key (for 1.5.0 -> 2.3_alpha1, key ID 1FBF51F3, fingerprint C699 B264 0C6D 404E 6454 A9AD 1D0B 4996 1FBF 51F3)
- Samuli Seppänen’s old PGP key (2.3_alpha2 and later, key ID 198D22A3, fingerprint 0330 0E11 FED1 6F59 715F 9996 C29D 97ED 198D 22A3)
- Samuli Seppänen’s new PGP key (2.4.1 and later, key ID 40864578 , fingerprint (6D04 F8F1 B017 3111 F499 795E 2958 4D9F 4086 4578)
Note that James Yonan’s PGP/GnuPG public key is also available in the archives for all OpenVPN mailing lists (such as here). Please note that the keys may contain more than one email address. For example Samuli’s GPG key has both @openvpn.net and @gmail.com addresses attached to it. Also note that key E158C569 you may find from public keyservers is only used for signing Debian packages.
Signature verification can be performed by PGP or GnuPG once you have the correct key in your trusted keyring:
$ gpg --import keyname.asc
$ gpg -v --verify [.asc file]
Make sure you have the corresponding OpenVPN package in the same directory. GnuPG signature files for OpenVPN file releases are available on the download page.