Set up environment for verifying downloads; install Scripts directory

To set up the environment for verifying downloaded artifacts, you will need the GnuPG toolkit (which may already be installed, see comments in code block, below).

Each tranSMART Foundation release artifact (see ) will be downloaded and verified by the install Script. Once you made the necessary setup (this code block) and downloaded, verified, and installed the Scripts folder (the next code block), then the scripts will be able to download, verify, and install all of the other artifacts. In particular, to set up for verification, you must declare your trust in one or more of the signers of the tranSMART Foundation key; which was used to sign the signature file (called a 'detached signature') of all of the artifacts. We each generated a personal key, and each signed the tranSMART Foundation key with our personal key: Terry Weymouth, Peter Rice, John O'Hara, Keith Nangle.

In this process (the 'Set up for verification' code block, directly below) you will need to declare your trust in the person/personal-key of one or more of the signers of the tranSMART Foundation key, You will use the following information:

51771D6738F7 51E9 9525 32C8 A11D  DA8F EA1D 335C 5177 1D67Personal key: Terry Weymouth
B71F5D78C85D A36B 5E03 4D9C CF5C  E270 743B 28C7 B71F 5D78Personal key: Peter Rice
178A36317DFD 03EA 25CC A22E 99C5  A55B 4EA6 5167 178A 3631Personal key: John O'Hara
159B600CFDEC 9561 10D8 3519 B45A  F570 6268 396B 159B 600C

Personal key: Keith Nangle

ACC5050179CB 8244 E273 7855 274A  55CE A3EE 8EF2 ACC5 0501tranSMART Foundation signing key

The process to declare trust is embodied in the decision to impart trust to these keys. You will be asked to choose one of these options: to trust ultimately, to trust fully, to trust marginally, or not to trust. To fully verify the Foundation's key, you must trust ultimately the tranSMART Foundation signing key (ACC50501), and of the other, supporting keys either trust fully one key or trust marginally at least three keys of the signers. You will use the command gpg --edit-key <key-id> trust to indicate trust; type quit to exit the edit-key option.


Set up for verification


sudo apt-get update
sudo apt-get install -y gnupg
# download the keys needed for the verification process
# download to the GPG 'keyring' the public keys that will be used to verify the integrity
# of the downloaded artifacts, here and when the script is run
gpg --keyserver hkp:// --recv-keys ACC50501 51771D67 B71F5D78 178A3631 159B600C
# use this command to display the fingerprints of the uploaded keys to verify integrety
gpg --fingerprint
# declare your "ultimate" trust in the transmart foundation key
# (type 'quit' to exit the edit-key mode)
gpg --edit-key ACC50501 trust
# declare your "full" trust in one of the other keys
# or your "marginal" trust in at least three of the other keys
# with one or more of the following commands
# (type 'quit' to exit the edit-key mode)
gpg --edit-key 51771D67 trust
gpg --edit-key B71F5D78 trust
gpg --edit-key 178A3631 trust
gpg --edit-key 159B600C trust



To download and verify the Scripts zip file and install the folder, run the following commands in the home directory of the account that you are going to use to run transmart. 


sudo apt-get install -y curl
sudo apt-get install -y unzip
# download and verify the installation script; verification is of the 'detached signature' (the sig file)
curl -o
curl -o
gpg --default-key ACC50501 --verify
# You will see output similar to this
# gpg: Signature made Wed 25 May 2016 01:42:16 PM EDT using RSA key ID ACC50501
# gpg: checking the trustdb
# gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
# gpg: depth: 0  valid:   1  signed:   4  trust: 0-, 0q, 0n, 0m, 0f, 1u
# gpg: depth: 1  valid:   4  signed:   0  trust: 1-, 0q, 0n, 0m, 3f, 0u
# gpg: next trustdb check due at 2019-11-30
# gpg: Good signature from "tranSMART Foundation <>"
# unzip and rename the Scripts folder
mv Scripts-release-16.1 Scripts

  • No labels