Security

GPG public key

Every Bad Kitty Software release is signed with this key. Use it to confirm that what you downloaded is genuine and has not been altered.

What is a GPG key?

GPG stands for GNU Privacy Guard. It is a tool for verifying that a file came from exactly who it says it did and that it has not been changed since it was released.

When Bad Kitty Software releases a file, it is signed using a private key that only Bad Kitty Software holds. This creates a small signature file (ending in .sig) that travels alongside the download.

You use the public key on this page to check that signature. If it matches, the file is genuine. If it does not match, something is wrong and you should not run the file.

Why does this matter?

Anyone can host a file and call it something. Without verification, you have no way of knowing whether a download was tampered with after it left the source, whether it was replaced by a malicious copy, or whether it was modified in transit.

GPG signing removes that uncertainty. If the signature verifies correctly using the key below, the file is exactly what Bad Kitty Software released. Always download directly from badkitty.uk and always verify.

Bad Kitty Software public key

This key is a placeholder. The real Bad Kitty Software GPG public key will be published here before any signed releases are made available.
Bad Kitty Software - public key (placeholder) 
-----BEGIN PGP PUBLIC KEY BLOCK-----

[The Bad Kitty Software GPG public key will be published here.]

Key ID:        [placeholder]
Fingerprint:   [placeholder]
Created:       [placeholder]
Expires:       [placeholder]
UID:           Bad Kitty Software <hello@badkitty.uk>

-----END PGP PUBLIC KEY BLOCK-----

How to verify a download

You need two files from the Software Library - the software file itself and its .sig signature file. Then follow the steps for your operating system.

gpg --import badkitty-public.asc
gpg --verify hue-1.0.0-linux-x86_64.tar.gz.sig hue-1.0.0-linux-x86_64.tar.gz
Good result: Good signature from "Bad Kitty Software <hello@badkitty.uk>"
Bad result: BAD signature - do not use the file. Delete it and contact us. 
rem Install GPG4Win from gpg4win.org first, then open Command Prompt:
gpg --import badkitty-public.asc
gpg --verify hue-1.0.0-windows-x64.exe.sig hue-1.0.0-windows-x64.exe
Good result: Good signature from "Bad Kitty Software <hello@badkitty.uk>"
Bad result: BAD signature - do not use the file. Delete it and contact us. 
# Install GPG Suite from gpgtools.org first, then open Terminal:
gpg --import badkitty-public.asc
gpg --verify hue-1.0.0-macos.dmg.sig hue-1.0.0-macos.dmg
Good result: Good signature from "Bad Kitty Software <hello@badkitty.uk>"
Bad result: BAD signature - do not use the file. Delete it and contact us.
If verification fails or you have any doubt about a download, do not run the file. Contact us via the contact page and we will assist you.