Solid AccountingDocsv26.2 · preview
FeaturesPricingHome

Linux: AppImage signature

Every Linux AppImage we publish ships with a detached GPG signature (.asc) and a SHA-256 checksum (.sha256). Verify before launching unless you trust the network you downloaded over.

Quick verification

# 1. Import our public key (one-time)
curl -fsSL https://solidaccounting.com/release-public.asc | gpg --import
 
# 2. From the same release, download the AppImage AND its .asc
 
# 3. Verify
gpg --verify Solid-Accounting_*_amd64.AppImage.asc Solid-Accounting_*_amd64.AppImage

Expected output:

gpg: Signature made <date>
gpg:                using EDDSA key <fingerprint>
gpg: Good signature from "Solid Accounting Releases <releases@solidaccounting.com>"

The "Good signature" line is what matters. If you see it, the AppImage is exactly what we shipped.

"Can't check signature: No public key"

You haven't imported our key yet. Run the curl … | gpg --import line above. Or pull from a keyserver:

gpg --keyserver keys.openpgp.org --recv-keys releases@solidaccounting.com

"BAD signature"

Stop. Do not run the AppImage. A bad signature means:

  • The file was modified in transit (compromised mirror, MITM proxy)
  • You downloaded a different file by mistake — re-download the matching .AppImage and .asc from the same release page
  • You're on a corporate network that rewrites downloads — try from an unmanaged connection

If re-downloading from github.com/socket5/TrueLedger/releases also produces a bad signature, email support with the SHA-256 of what you got:

sha256sum Solid-Accounting_*_amd64.AppImage

We'll cross-reference against what we shipped.

"WARNING: This key is not certified with a trusted signature"

Normal — you haven't told GPG you trust our key. The signature is still valid; GPG just doesn't know whether to trust the key itself. For most users this is fine; if you want to silence the warning, you can sign our key with your own:

gpg --sign-key releases@solidaccounting.com

That marks it as trusted in your keyring only.

Using the SHA-256 instead

If you don't have GPG, the .sha256 file alongside each AppImage gives you a quick integrity check:

expected=$(cat Solid-Accounting_*_amd64.AppImage.sha256)
actual=$(sha256sum Solid-Accounting_*_amd64.AppImage | awk '{print $1}')
[ "$expected" = "$actual" ] && echo "MATCH" || echo "MISMATCH"

This catches accidental corruption and most CDN/mirror issues, but doesn't protect against an attacker who serves you a doctored AppImage with a doctored .sha256. GPG verification does.

Key fingerprint

You can verify our key fingerprint matches by querying keys.openpgp.org. The fingerprint is also published on the download page and in the GitHub release notes.

If the fingerprint you see locally doesn't match what's published, you have a fake key — contact support before doing anything else.

Updated May 2, 2026
Edit this page on GitHub →
Was this helpful?

We use this to prioritize which docs to improve. No tracking, no email follow-up.