We do our best to keep SpecDD release files secure and verifiable. Each release artifact is signed so users can confirm that the downloaded zip was produced by the SpecDD project and has not been changed after signing.
For best results, always download SpecDD release files from the official GitHub Releases page:
https://github.com/specdd/specdd/releases
After verifying the GPG signature, we also recommend reviewing the files before copying them into a project or asking an AI agent to follow them. In particular, inspect:
src/.specdd/bootstrap.mdsrc/.specdd/bootstrap.project.mdsrc/AGENTS.mdsrc/CLAUDE.md- any other agent-facing instructions or code files included in the release
Bootstrap files and agent instruction files are intended to guide AI tooling, so it is worth reading them the same way you would review any other project configuration before adoption. Check that the instructions match your expectations and fit the boundaries of your project.
SpecDD release artifacts are signed with a dedicated release signing key.
Current release signing key:
Fingerprint: FD87 3132 56E0 8C48 6951 F909 1372 D385 6911 6BC5
Key ID: FD87313256E08C486951F9091372D38569116BC5
UID: SpecDD (This key is used to sign SpecDD releases) <[email protected]>
The public key is committed to this repository at:
.gpg/code-signing-2026.01.gpg
The key is also published to these OpenPGP keyservers:
gpg --keyserver hkps://keys.openpgp.org --recv-keys FD87313256E08C486951F9091372D38569116BC5
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys FD87313256E08C486951F9091372D38569116BC5
gpg --keyserver hkps://pgp.mit.edu --recv-keys FD87313256E08C486951F9091372D38569116BC5
gpg --keyserver hkps://openpgp.circl.lu --recv-keys FD87313256E08C486951F9091372D38569116BC5Always compare the fingerprint before trusting the key.
Each GitHub release includes:
specdd.zip: the packaged contents ofsrc/specdd.zip.asc: a detached ASCII-armored GPG signature forspecdd.zip
The signature proves that the zip file was signed by the SpecDD release signing key and has not been modified since it was signed.
Download both release files from the same GitHub release:
specdd.zip
specdd.zip.asc
Then verify the signature with GPG.
Fetch the public key from a keyserver, confirm the fingerprint, and verify the release:
gpg --keyserver hkps://keys.openpgp.org --recv-keys FD87313256E08C486951F9091372D38569116BC5
gpg --fingerprint FD87313256E08C486951F9091372D38569116BC5
gpg --verify specdd.zip.asc specdd.zipOnly trust the verification result if the fingerprint matches:
FD87 3132 56E0 8C48 6951 F909 1372 D385 6911 6BC5
If one keyserver is unavailable, use another published keyserver:
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys FD87313256E08C486951F9091372D38569116BC5
gpg --keyserver hkps://pgp.mit.edu --recv-keys FD87313256E08C486951F9091372D38569116BC5
gpg --keyserver hkps://openpgp.circl.lu --recv-keys FD87313256E08C486951F9091372D38569116BC5From a checkout of this repository:
gpg --import .gpg/code-signing-2026.01.gpg
gpg --verify specdd.zip.asc specdd.zipExpected result:
Good signature from "SpecDD (This key is used to sign SpecDD releases) <[email protected]>"
Primary key fingerprint: FD87 3132 56E0 8C48 6951 F909 1372 D385 6911 6BC5
GPG may also print a warning that the key is not certified with a trusted signature. That warning means you have not personally marked the key as trusted in your local GPG keyring. The release signature is still valid if the fingerprint matches the expected SpecDD release signing key.
This avoids importing the key into your normal GPG keyring:
tmp_gnupg="$(mktemp -d)"
chmod 700 "$tmp_gnupg"
gpg --homedir "$tmp_gnupg" --import .gpg/code-signing-2026.01.gpg
gpg --homedir "$tmp_gnupg" --verify specdd.zip.asc specdd.zip
rm -rf "$tmp_gnupg"Check that the output reports a good signature and shows this fingerprint:
FD87 3132 56E0 8C48 6951 F909 1372 D385 6911 6BC5
Maintainers create signed release artifacts with:
make buildThe build target:
- Confirms
.gpg/code-signing-2026.01.gpgcontains the configured release signing key. - Packages the contents of
src/asbuild/specdd.zip. - Creates a detached signature at
build/specdd.zip.asc. - Verifies the generated signature against a temporary GPG keyring that imports only
.gpg/code-signing-2026.01.gpg.
The generated specdd.zip and specdd.zip.asc files are then uploaded to the matching GitHub release.