User guide

Verify your download

Every Eliya release ships with SHA256SUMS.txt (checksums) and SHA256SUMS.txt.asc (detached GPG signature). Verify both — don't run a JDK whose integrity you haven't confirmed.

One-command verification

sha256sum -c SHA256SUMS.txt && gpg --verify SHA256SUMS.txt.asc Copy

Both commands must succeed. If either fails, do not use the archive — re-download and verify again; if it still fails, report it to security@asymm.systems.

First-time setup: import the Asymm key

The first time you verify an Eliya release, import the Asymm Systems signing key:

curl -sSL https://jdk.asymm.systems/eliya-signing-key.asc | gpg --import Copy

Then confirm the fingerprint matches the one published below and on the security page:

gpg --fingerprint fahim@asymm.systems Copy

Key fingerprint

The canonical fingerprint will be published here and on the security page once the first Eliya release is signed. Do not trust an imported key whose fingerprint doesn't match the published value.

(published with first Eliya release)

Why two-step verification?

SHA256 proves the archive wasn't corrupted in transit. GPG signature proves Asymm Systems signed this exact SHA256SUMS file — which means an attacker who replaced both the archive and the checksum file on a mirror still can't forge the signature without the signing key.

SHA256 alone is not enough. Always run the GPG step.

← user guide
[ } Eliya Eliya Dial Dial
Research Eliya JDK Registry About Contact © 2026 Asymm
[ }
[ }
// PRODUCTS Eliya Eliya Dial Dial
Ecosystem Registry Research About Contact
Privacy Policy © 2026 Asymm Systems