Security & Code Signing

Official code signing certificates and GnuPG public keys for verifying Mcaster1 software. All binaries are signed with CA-issued certificates trusted by your operating system. All infrastructure is protected by Mcaster1 BackDraft WAF.

Updated: April 3, 2026  |  2 Code Signing Certificates  |  3 GPG Signing Keys

Code Signing Certificates

All Mcaster1 software is signed with official CA-issued code signing certificates. Windows, macOS, and Linux binaries are cryptographically verified by your operating system automatically.

CA Issued

SSL.com IV Code Signing

Individual Validation (IV)
Subject David St John
Issuer
SSL.com
Algorithm
RSA 4096-bit SHA-256
Platforms
Windows, Linux
Trust Chain
Microsoft Trusted Root Program, SSL.com Root CA
Signs all Windows executables, installers, DLLs, and Linux binaries. Trusted by Microsoft SmartScreen, Windows Defender, and all major antivirus engines.
CA Issued

Apple Developer ID

Developer ID Application
Subject David St John (FCA38UPLY3)
Issuer
Apple Inc.
Algorithm
ECC P-256 SHA-256
Platforms
macOS, iOS
Trust Chain
Apple Root CA, Apple Notary Service
Signs and notarizes all macOS application bundles, disk images, PKG installers, and kernel extensions. Passes Gatekeeper validation without warnings.
Windows

SSL.com IV certificate is trusted by Microsoft SmartScreen and Windows Defender. No warnings, no "Run anyway" prompts. Verified publisher shown in UAC dialogs.

macOS

Apple Developer ID signed and notarized. Passes Gatekeeper validation on first launch. No SIP override or security exceptions required.

Linux

Packages signed with GPG keys (below). Standalone binaries additionally signed with SSL.com IV certificate for cross-platform verification.

Infrastructure Security

All Mcaster1 web infrastructure, download servers, and package repositories are protected by Mcaster1 BackDraft — our in-house Web Application Firewall and real-time log analyzer.

  • Real-time bot fingerprinting and BotProof CAPTCHA challenge
  • GeoIP-based threat analysis per site
  • Secure Lock OTP for admin access
  • Pure C++ single binary — no external dependencies
Learn More About BackDraft

GnuPG / OpenPGP Signing Keys

GPG keys are used to verify Linux packages (.deb, .rpm), release tarballs, and git commits. Click a key badge to download its public key file. Verify fingerprints below before importing.

Verified

Binary Signing

MCaster1 Binary Code Signing
Fingerprint 35CC A6D3 1103 C4EA 354C 0FCC 6C07 628D F4D9 4C20
Key ID
6C07628DF4D94C20
Algorithm
RSA 4096-bit
Created
2026-03-27
Expires
2029-03-26
Download .asc
Verified

Package Signing

MCaster1 LLC Package Signing
Fingerprint 6951 A77C EF64 600E E17F D96A A29A 0946 3F34 D8D5
Key ID
A29A09463F34D8D5
Algorithm
RSA 4096-bit
Created
2026-03-10
Expires
Never
Download .asc
Verified

Git Commits & Tags

MCaster1 Personal Signing
Fingerprint B181 2F0F B142 0EE4 4991 92AF F44A 0722 1542 8C08
Key ID
F44A072215428C08
Algorithm
RSA 4096-bit
Created
2026-03-10
Expires
Never
Download .asc

Import Instructions

GnuPG (Linux / BSD / WSL)

Import Mcaster1 signing keys into your personal GnuPG keyring.

Option 1 — Download and import 
# Download all Mcaster1 signing keys
$ curl -fsSL https://mcaster1.com/security/keys/mcaster1-all-signing-keys.asc | gpg --import

# Verify the import
$ gpg --list-keys "MCaster1"
Option 2 — Import individual keys 
# Binary signing key only
$ curl -fsSL https://mcaster1.com/security/keys/mcaster1-binary-signing.asc | gpg --import

# Package signing key only
$ curl -fsSL https://mcaster1.com/security/keys/mcaster1-package-signing.asc | gpg --import
Option 3 — Fetch from keyserver 
$ gpg --keyserver hkps://keys.openpgp.org --recv-keys 6C07628DF4D94C20 A29A09463F34D8D5
Verify a signed binary 
# Verify binary signature
$ gpg --verify mcaster1-voictune.asc mcaster1-voictune

# Verify checksum file signature
$ gpg --verify checksums-1.8.0-beta.1.sha256.asc checksums-1.8.0-beta.1.sha256
$ sha256sum -c checksums-1.8.0-beta.1.sha256

APT Package Manager (Debian / Ubuntu / Mint)

Add Mcaster1 signing key to apt's trusted keyring for package verification.

Modern method (apt-key deprecated) 
# Download and dearmor the key into apt's trusted keyring
$ curl -fsSL https://mcaster1.com/security/keys/mcaster1-package-signing.asc \
    | sudo gpg --dearmor -o /usr/share/keyrings/mcaster1-archive-keyring.gpg

# Add the Mcaster1 repository (example)
$ echo "deb [signed-by=/usr/share/keyrings/mcaster1-archive-keyring.gpg] \
    https://packages.mcaster1.com/apt stable main" \
    | sudo tee /etc/apt/sources.list.d/mcaster1.list

# Update and install
$ sudo apt update
$ sudo apt install mcaster1-dsp-encoder
The signed-by method is preferred over the deprecated apt-key add command. This scopes the key to only the Mcaster1 repository.
Legacy method (apt-key — not recommended) 
# Legacy — works but deprecated in newer Debian/Ubuntu
$ curl -fsSL https://mcaster1.com/security/keys/mcaster1-package-signing.asc | sudo apt-key add -

DNF / YUM (Fedora / RHEL / Rocky / AlmaLinux / openSUSE)

Add Mcaster1 signing key to RPM's keyring for package verification.

Import into RPM keyring 
# Import the package signing key
$ sudo rpm --import https://mcaster1.com/security/keys/mcaster1-package-signing.asc

# Verify it was imported
$ rpm -qa gpg-pubkey* | xargs rpm -qi | grep -A2 "MCaster1"
Add Mcaster1 repository (example) 
# Create repo file
$ sudo tee /etc/yum.repos.d/mcaster1.repo <<'EOF'
[mcaster1]
name=Mcaster1 Packages
baseurl=https://packages.mcaster1.com/rpm/$basearch
enabled=1
gpgcheck=1
gpgkey=https://mcaster1.com/security/keys/mcaster1-package-signing.asc
EOF

$ sudo dnf install mcaster1-dsp-encoder

macOS (GPG Suite / Homebrew)

Import keys using GPG Suite (GUI) or Homebrew-installed GnuPG.

Homebrew GnuPG (Terminal) 
# Install GnuPG if not present
$ brew install gnupg

# Import all Mcaster1 signing keys
$ curl -fsSL https://mcaster1.com/security/keys/mcaster1-all-signing-keys.asc | gpg --import

# Verify
$ gpg --list-keys "MCaster1"
GPG Suite (GUI) 
# 1. Download: https://mcaster1.com/security/keys/mcaster1-all-signing-keys.asc
# 2. Open GPG Keychain app
# 3. File → Import → select the downloaded .asc file
# 4. Keys appear in your keychain as "David St John (MCaster1...)"
GPG Suite is available free at gpgtools.org. It integrates with macOS Mail and Finder.

Windows (Gpg4win / Kleopatra)

Import keys using Gpg4win's Kleopatra GUI or command-line gpg.

Kleopatra (GUI) 
# 1. Install Gpg4win from https://gpg4win.org
# 2. Download: https://mcaster1.com/security/keys/mcaster1-all-signing-keys.asc
# 3. Open Kleopatra
# 4. Import → select the downloaded .asc file
# 5. Right-click each key → Certify to mark as trusted
Command Line (PowerShell / CMD) 
REM Import from URL (requires curl, included in Windows 10+)
C:\> curl -o mcaster1-keys.asc https://mcaster1.com/security/keys/mcaster1-all-signing-keys.asc
C:\> gpg --import mcaster1-keys.asc

REM Verify binary signature
C:\> gpg --verify mcaster1-encoder.exe.asc mcaster1-encoder.exe
Gpg4win includes Kleopatra (key manager), GnuPG, and GpgOL (Outlook plugin). Download free from gpg4win.org.

Verification Guide

Always verify fingerprints after importing keys. Compare these fingerprints with what gpg --fingerprint shows.

Import the Key

Download the .asc file and import it into your GnuPG keyring using the commands above for your platform.

Verify Fingerprint

Run gpg --fingerprint "MCaster1" and compare the output against the fingerprints shown on this page.

Verify Signatures

Run gpg --verify file.asc file to check that a binary or package was signed by the correct key.

Security Notice: If a fingerprint does not match what is shown here, do not trust the key. Report the discrepancy to security@mcaster1.com.

Key Reference

Purpose Key ID Algorithm Created Expires File
Binary Signing 6C07628DF4D94C20 RSA 4096-bit 2026-03-27 2029-03-26 mcaster1-binary-signing.asc
Package Signing A29A09463F34D8D5 RSA 4096-bit 2026-03-10 Never mcaster1-package-signing.asc
Git Commits & Tags F44A072215428C08 RSA 4096-bit 2026-03-10 Never mcaster1-personal-signing.asc