We have been cryptographically signing Matomo releases since 2014, so you can verify the signature of the release you downloaded. Up until Matomo 4.8.0 releases were signed with Matthieu Aubry’s personal signature. In Matomo 4.8.0 we made some improvements to our release systems including automating the release builds. As part of these improvements it makes sense to now use a Matomo signature, which means a few changes are required for verifying releases. There is no security issue around the previous key, which can still be used to verify older release builds.
There is a new signature here: builds.matomo.org/signature.asc. You can use this signature according to our updated instructions to verify releases for Matomo version 4.8.0 and newer. You will need to import this signature to verify new releases.
If you want to verify the signature of a release prior to Matomo 4.8.0 you can now find Matthieu’s signature here: builds.matomo.org/signature-pre-4.8.0.asc, and the same instructions apply. If you already imported Matthieu’s signature, you won’t need to do this again.
