Validate software

To help protect IT infrastructures, you can validate software packages that you download to ensure that they are free of tampering. You can also validate digital signatures that are applied to software packages.

On this page:

Validate download integrity

Software validation involves the provision of a separate file that helps to confirm that the downloaded file matches the file on the download portal. Typically, a cryptographic protocol such as SHA-512 is used.

For P4 Code Review, follow the instructions to verify download integrity:

Validate operating system packages. P4 Code Review packages distributed via official Perforce repositories are cryptographically signed. For example, on Ubuntu:
```
apt-get update
```
```
apt-get install helix-swarm
```
These packages can be verified using the Perforce signed GPG key (for example, stored in /usr/share/keyrings/perforce.gpg). Ensure that the correct Perforce public key is imported and trusted before installation.
Validate tarball or binary downloads. If you download P4 Code Review tarballs or stand-alone binaries from the Perforce site or FTP portal, verify the downloads by using the accompanying .sha512 checksum (or .sig where provided):
```
sha512sum -c swarm-<version>.tar.gz.sha512
```
Validate container images. P4 Code Review container images on Docker Hub include immutable SHA‑256 digests. Always pull the images based on a digest to ensure authenticity:
```
docker pull perforce/helix-swarm@sha256:<digest>
```

Validate digital signatures

Digitally signing software involves the use of cryptographic keys, where the private key is used to sign the software package, and the public key is used to validate the signature. The process helps to ensure that the software was not altered since it was signed and comes from a trusted source.

P4 Code Review packages distributed through Perforce package repositories are digitally signed. You can verify Linux packages (.deb and .rpm) by importing the Perforce public GPG key into your package manager.

If you download P4 Code Review as a tarball or binary file, digital signatures or checksums (such as SHA-256) might be provided alongside the file. The signatures or checksums can be used to verify the integrity and authenticity of the downloaded file using standard tools such as gpg or sha256sum.

You can verify P4 Code Review container images (for example, perforce/helix-swarm) available on Docker Hub by using the image’s SHA-256 digest to ensure that the pulled image matches the published version.

For questions about validating P4 Code Review software packages or images, contact Support by logging in to the Perforce Customer Support Portal.