# Download spmenu

The latest release of spmenu can be had from my [releases](https://ls.speedie.site/?b=releases%2Fspmenu)
page. Select the latest version (which is at the bottom). You can also get the
latest release [here](https://git.speedie.site/speedie/spmenu/releases/latest)
if you prefer.

You can also get spmenu

I provide the following with each release. Older releases may be missing some
of these:

- Source code tarball (spmenu-VERSION.tar.gz)
- Source code tarball PGP signature (spmenu-VERSION.tar.gz.sig)
- Source code tarball MD5 hash (spmenu-VERSION.tar.gz.md5)
- Source code tarball SHA256 hash (spmenu-VERSION.tar.gz.sha256)
- Arch Linux PKGBUILD (spmenu-VERSION.PKGBUILD)
- Arch Linux prebuilt package (spmenu-VERSION-1-x86_64.pkg.tar.zst)
- Arch Linux prebuilt package PGP signature (spmenu-VERSION-1-x86_64.pkg.tar.zst.sig)
- Arch Linux prebuilt package MD5 hash (spmenu-VERSION-1-x86_64.pkg.tar.zst.md5)
- Arch Linux prebuilt package SHA256 hash (spmenu-VERSION-1-x86_64.pkg.tar.zst.sha256)
- Gentoo Linux ebuild (spmenu-VERSION.ebuild)
- Gentoo Linux ebuild PGP signature (spmenu-VERSION.ebuild.sig)
- Gentoo Linux ebuild MD5 hash (spmenu-VERSION.ebuild.md5)
- Gentoo Linux ebuild SHA256 hash (spmenu-VERSION.ebuild.sha256)

See [[Installing spmenu]] for instructions on installing spmenu.

## Verifying using PGP

To verify a file using PGP, you need to make sure you have GPG installed. Then
you can import my public key into your keyring. Do this using: `gpg --recv-keys CEB863B830D1318A`.
If you don't want to use a keyserver, you can get my key [here](https://ls.speedie.site/pubkey.asc).

Now you can verify it using: `gpg --verify FILE.sig FILE`. For example, to
verify `spmenu-3.0.2.tar.gz`, run the following: `gpg --verify spmenu-3.0.2
.tar.gz.sig spmenu-3.0.2.tar.gz`. The output should be something like the
following:

```Shell
gpg: Signature made Wed 19 Jul 2023 03:50:52 AM CEST
gpg:                using RSA key AE46FBEA635C56F2B212D036CEB863B830D1318A
gpg: Good signature from "speedie (key) <speedie.alt@gmail.com>" [ultimate]
```

If you do not get a good signature, you should **not** install spmenu using the
tarball/package, you should consider it compromised.

## Verifying using SHA256

To verify the SHA256 hash, run `sha256sum FILE` where `FILE` is the file you want
to check. You should end up with a 64 character (256 bit) string of characters.
Make sure this string is **identical** to the contents of `FILE.sha256`.

## Verifying using MD5

NOTE: It is recommended that you verify using PGP and/or SHA256 instead.

To verify the MD5 hash, run `md5sum FILE` where `FILE` is the file you want
to check. You should end up with a 32 character (128 bit) string of characters.
Make sure this string is **identical** to the contents of `FILE.md5`.