TYPO3 Release Integrity

TYPO3 Release Packages (the downloadable tarballs and zip files) as well as Git tags are signed using PGP signatures during the automated release process. SHA2-256, SHA1 and MD5 hashes are also generated for these files.

Release contents

Every release of TYPO3 is made available with the following files:

TYPO3 CMS 11.4.0 release as an example
  • *.tar.gz and *.zip files are the actual release packages, containing the source code of TYPO3 CMS
  • *.sig files contain the corresponding signatures for each release package file

Checking file hashes

File hashes are used to check that a downloaded file was transferred and stored correctly on the local system. TYPO3 uses cryptographic hash methods including MD5 and SHA2-256.

The file hashes for each version are published on get.typo3.org and can be found on the corresponding release page, for example https://get.typo3.org/version/11#package-checksums contains:

TYPO3 11.4.0 Checksums
04452d0dcecccad9398fc01d29ea8ba812bec0e008a98821ea803c81e6b35a56 typo3_src-11.4.0.tar.gz
8eda6053861e6e76cb251cb9bbc3d7b155eceac3ed57937473bc071b20886735 typo3_src-11.4.0.zip

3d262e6df54b0d2b41c3336011a07848f59c1197 typo3_src-11.4.0.tar.gz
0ad10332be8369a05e7f4d6df1c4143581ccb4bf typo3_src-11.4.0.zip

3f55041fa966447fe42a0602702232e6 typo3_src-11.4.0.tar.gz
a63f65db9f915a15d333ea29c0a3e903 typo3_src-11.4.0.zip

To verify file hashes, the hashes need to be generated locally for the packages downloaded and then compared to the published hashes on get.typo3.org. To generate the hashes locally, one of the following command-line tools md5sum, sha1sum or shasum needs to be used.

The following commands generate hashes for the .tar.gz and .zip packages:

~$ shasum -a 256 typo3_src-*.tar.gz typo3_src-*.zip
04452d0dcecccad9398fc01d29ea8ba812bec0e008a98821ea803c81e6b35a56 typo3_src-11.4.0.tar.gz
8eda6053861e6e76cb251cb9bbc3d7b155eceac3ed57937473bc071b20886735 typo3_src-11.4.0.zip
~$ sha1sum -c typo3_src-*.tar.gz typo3_src-*.zip
3d262e6df54b0d2b41c3336011a07848f59c1197 typo3_src-11.4.0.tar.gz
0ad10332be8369a05e7f4d6df1c4143581ccb4bf typo3_src-11.4.0.zip
~$ md5sum typo3_src-*.tar.gz typo3_src-*.zip
3f55041fa966447fe42a0602702232e6 typo3_src-11.4.0.tar.gz
a63f65db9f915a15d333ea29c0a3e903 typo3_src-11.4.0.zip

These hashes must match the hashes published on get.typo3.org to ensure package integrity.

Checking file signatures

TYPO3 uses Pretty Good Privacy to sign release packages and Git release tags. To validate these signatures The GNU Privacy Guard is recommend, however any OpenPGP compliant tool can also be used.

The release packages are using a detached binary signature. This means that the file typo3_src-11.4.0.tar.gz has an additional signature file typo3_src-11.4.0.tar.gz.sig which is the detached signature.

gpg --verify typo3_src-11.4.0.tar.gz.sig typo3_src-11.4.0.tar.gz
gpg: Signature made Tue  7 Sep 08:12:37 2021 BST using RSA key ID E7ED29A70309A0D1AE34DA733304BBDBFA9613D1
gpg: Can't check signature: public key not found

The warning means that the public key E7ED29A70309A0D1AE34DA733304BBDBFA9613D1 is not yet available on the local system and cannot be used to validate the signature. The public key can be obtained by any key server - a popular one is pgpkeys.mit.edu.

wget -qO- https://get.typo3.org/KEYS | gpg --import
gpg: requesting key 59BC94C4 from hkp server pgpkeys.mit.edu
gpg: key 59BC94C4: public key "TYPO3 Release Team (RELEASE) <typo3cms@typo3.org>" imported
gpg: key FA9613D1: public key "Benjamin Mack <benni@typo3.org>" imported
gpg: key 16490937: public key "Oliver Hader <oliver@typo3.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 3
gpg:               imported: 3  (RSA: 3)

Once the public key has been imported, the previous command on verifying the signature of the typo3_src-11.4.0.tar.gz file can be repeated.

gpg --verify typo3_src-11.4.0.tar.gz.sig typo3_src-11.4.0.tar.gz
gpg: Signature made Tue  7 Sep 08:12:37 2021 BST
gpg:                using RSA key E7ED29A70309A0D1AE34DA733304BBDBFA9613D1
gpg: Good signature from "TYPO3 Release Team (RELEASE) <typo3cms@typo3.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E7ED 29A7 0309 A0D1 AE34  DA73 3304 BBDB FA96 13D1

The new warning is expected since everybody could have created the public key and uploaded it to the key server. The important point here is to validate the key fingerprint E7ED 29A7 0309 A0D1 AE34  DA73 3304 BBDB FA96 13D1 which is in this case the correct one for TYPO3 CMS release packages (see below for a list of currently used keys or access the https://get.typo3.org/KEYS file directly).

gpg --fingerprint E7ED29A70309A0D1AE34DA733304BBDBFA9613D1
pub   rsa4096 2010-06-22 [SC]
      E7ED 29A7 0309 A0D1 AE34  DA73 3304 BBDB FA96 13D1
uid                  [ unknown] Benjamin Mack <benni@typo3.org>
sub   rsa4096 2010-06-22 [E]

Checking tag signature

Checking signatures on Git tags works similar to verifying the results using the gpg tool, but with using the git tag --verify command directly.

git tag --verify v11.4.0
object e4da4be7d06b36ef3abef1c82ec9f9a7f0d3dce0
type commit
tag v11.4.0
tagger Benni Mack <benni@typo3.org> 1630998676 +0200

Release of TYPO3 11.4.0
gpg: Signature made Tue Sep  7 09:11:16 2021 CEST
gpg: using RSA key E7ED29A70309A0D1AE34DA733304BBDBFA9613D1
gpg: Good signature from "Benjamin Mack <benni@typo3.org>"

The git show command on the name of the tag reveals more details.

git show v11.4.0

tag v11.4.0

Tagger: Benni Mack <benni@typo3.org> Date: Tue Sep 7 09:11:16 2021 +0200


Public Keys


Starting in June 2017, TYPO3 releases have been cryptographically signed by the TYPO3 Release Team <typo3cms@typo3.org> with a dedicated public key. Since July 2017 releases are signed by individual members of the TYPO3 Release Team directly, namely Benni Mack <benni@typo3.org> and Oliver Hader <oliver@typo3.org>.

You can download the used public keys from get.typo3.org.keys