Please see https://www.borgbackup.org/ for free and paid support and service options.
In case you discover a security issue, please use this contact for reporting it privately and please, if possible, use encrypted E-Mail:
Thomas Waldmann <firstname.lastname@example.org>
GPG Key Fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
The public key can be fetched from any GPG keyserver, but be careful: you must use the full fingerprint to check that you got the correct key.
Releases are signed with the same GPG key and a .asc file is provided for each binary.
To verify a signature, the public key needs to be known to GPG. It can be imported into the local keystore from a keyserver with the fingerprint:
gpg --recv-keys "6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393"
If GPG successfully imported the key, the output should include (among other things):
... gpg: Total number processed: 1 ...
To verify for example the signature of the borg-linux64 binary:
gpg --verify borg-linux64.asc
GPG outputs if it finds a good signature. The output should look similar to this:
gpg: Signature made Sat 30 Dec 2017 01:07:36 PM CET using RSA key ID 51F78E01 gpg: Good signature from "Thomas Waldmann <email>" gpg: aka "Thomas Waldmann <email>" gpg: aka "Thomas Waldmann <email>" gpg: aka "Thomas Waldmann <email>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393 Subkey fingerprint: 2F81 AFFB AB04 E11F E8EE 65D4 243A CFA9 51F7 8E01
If you want to make absolutely sure that you have the right key, you need to verify it via another channel and assign a trust-level to it.