How do I verify Matomo release builds using GPG? FAQ - Analytics Platform

Matomo provides GPG signatures to verify that downloaded release files are authentic and have not been modified. Each release file on builds.matomo.org is accompanied by an .asc signature file. For example, matomo.zip has a matching matomo.zip.asc file.

This signature confirms that the file is exactly the one published by Matomo and was not altered by a third party.

Verify a Matomo release on Linux and macOS

Most Linux systems include GnuPG by default. On macOS, install GnuPG using the recommended GPGSuite.

Import the Matomo signing key for Matomo 4.8.0 and later:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys F529A27008477483777FC23D63BB30D0E5D2C749

For older Matomo versions before 4.8.0, import the previous signing key:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

Download both the release file and its .asc file and verify the signature:

gpg --verify matomo.zip.asc matomo.zip

A successful verification displays a Good signature message.

Verify a Matomo release on Windows

Install Gpg4win before verifying the signature.

If you installed Gpg4win using the default path, import the Matomo signing key for Matomo 4.8.0 and later:

"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver hkps://keyserver.ubuntu.com --recv-keys F529A27008477483777FC23D63BB30D0E5D2C749

For older Matomo versions before 4.8.0, import the previous signing key:

"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver hkps://keyserver.ubuntu.com --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

Download both the release file and its .asc file and verify the signature:

"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Joe\Desktop\matomo.zip.asc C:\Users\Joe\Desktop\matomo.zip

Verify the key fingerprint (optional)

For Matomo 4.8.0 and later, check the fingerprint:

gpg --fingerprint F529A27008477483777FC23D63BB30D0E5D2C749

Expected fingerprint: F529 A270 0847 7483 777F C23D 63BB 30D0 E5D2 C749

For older Matomo versions before 4.8.0:

gpg --fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237

Expected fingerprint: 814E 346F A01A 20DB B04B 6807 B5DB D592 5590 A237

After verifying the Matomo release build using GPG, you can continue with installing or updating Matomo using the verified files.

Troubleshooting

Why do I see “No public key”?

If you get the message, gpg: Can't check signature: No public key, it means GPG does not have the public key needed to verify the release. To resolve the error, import the correct Matomo key for your version. For Matomo 4.8.0 and later, use:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys F529A27008477483777FC23D63BB30D0E5D2C749

This often happens in Docker builds, CI pipelines, or new environments where GPG keys are not stored between runs.

Why do I see a warning about trust?

If you see a warning similar to This key is not certified with a trusted signature, it means GPG verified the signature, but your system has not assigned trust to the key owner.

If the output includes Good signature, the file matches the signature. If verification fails, do not continue the installation.

Next FAQ: When is the next release of Matomo? What is the release schedule?

Previous FAQ: How do I know when new versions are released?