Tarsnap - Online backups for the truly paranoid

Navigation menu

System preparation

Necessary software

Before you can compile Tarsnap, you need certain programs and libraries:

  • A C compiler (gcc or clang), make, system header files
  • OpenSSL (including header files)
  • zlib (including header files)
  • Linux only: the ext2fs/ext2_fs.h header
    • (which is NOT the same as the linux/ext2_fs.h header file)

On many UNIX systems all the necessary packages will already be present. We provide a few sample commands for installing the required software on systems which do not include them by default:

  • Debian, Ubuntu, and related Linux distributions:
    sudo apt-get install gcc libc6-dev make libssl-dev zlib1g-dev e2fslibs-dev
  • RedHat, CentOS, SuSE, Amazon Linux, and related Linux distributions:
    sudo yum install gcc make glibc-devel openssl-devel zlib-devel e2fsprogs-devel
  • Alpine Linux:
    sudo apk add gcc libc-dev make openssl openssl-dev zlib-dev e2fsprogs-dev
  • macOS: in addition to the normal build toolchain (probably installed via XCode), you need the OpenSSL development library. This could be installed manually, or via a package manager:

Download verification

We recommend that everybody verify any downloaded tarballs with GnuPG.

  • Download the Tarsnap 2024 code signing GPG key.
  • Optionally, verify the key:
    gpg --list-packets tarsnap-signing-key-2024.asc | grep signature
    :signature packet: algo 1, keyid 1EF1354792C56BEA
    :signature packet: algo 17, keyid 38CECA690C6A6A6E
    The first keyid is the Tarsnap source code signing key, while the second is Colin Percival's key (0x38CECA690C6A6A6E). These keyid values should match those on a public key server search for 0x1EF1354792C56BEA.
  • Import the key. Older versions are signed with older keys.
    gpg --import tarsnap-signing-key-2024.asc
    Problem? signatures using the SHA1 algorithm are rejected

    If your version of gpg is 2.2.18 or later, you may see the warning:

    gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
    gpg: key 1EF1354792C56BEA: 1 bad signature

    This arises because Colin Percival's personal key 0x38CECA690C6A6A6E was created in 2009 and uses SHA-1. He is creating a new one, but the old key has been signed by many people (see the public key server search for 0x38ceca690c6a6a6e) so it will take some time until his new key has sufficient endorsements in the "web of trust".

    The code signing key itself uses SHA-256; you can check this with:

    gpg --list-packets tarsnap-signing-key-2024.asc | grep -B2 "digest algo"
    :signature packet: algo 1, keyid 1EF1354792C56BEA
    	version 4, created 1696201856, md5len 0, sigclass 0x13
    	digest algo 8, begin of digest d9 d4
    --
    :signature packet: algo 17, keyid 38CECA690C6A6A6E
    	version 4, created 1696202196, md5len 0, sigclass 0x10
    	digest algo 2, begin of digest 71 9b

    The digest algo 8 for keyid 1EF1354792C56BEA indicates SHA-256, as specified in RFC 4880.

Installing or upgrading Tarsnap from source

These instructions are valid for installing or upgrading; upgrading simply overwrites the previous Tarsnap files.

1. Download the source tarball and signature

2. Verify the files

  • Verify the GPG signature on the SHA256 hash file using:
    gpg --decrypt tarsnap-sigs-1.0.40.asc
    Problem? This key is not certified with a trusted signature

    If your version of gpg is 2.2.18 or later, you may see the warning:

    gpg: Good signature from "Tarsnap source code signing key (Tarsnap Backup Inc.) <cperciva@tarsnap.com>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 06DC C628 8BD0 7A21 5DF8  7ACA 1EF1 3547 92C5 6BEA

    This arises because Colin Percival's personal key 0x38CECA690C6A6A6E was created in 2009 and uses SHA-1. He is creating a new one, but the old key has been signed by many people (see the public key server search for 0x38ceca690c6a6a6e) so it will take some time until his new key has sufficient endorsements in the "web of trust".

    The code signing key itself uses SHA-256; you can check this with:

    gpg --list-packets tarsnap-signing-key-2024.asc | grep -B2 "digest algo"
    :signature packet: algo 1, keyid 1EF1354792C56BEA
    	version 4, created 1696201856, md5len 0, sigclass 0x13
    	digest algo 8, begin of digest d9 d4
    --
    :signature packet: algo 17, keyid 38CECA690C6A6A6E
    	version 4, created 1696202196, md5len 0, sigclass 0x10
    	digest algo 2, begin of digest 71 9b

    The digest algo 8 for keyid 1EF1354792C56BEA indicates SHA-256, as specified in RFC 4880.

  • Verify that the SHA256 hash of the tarball matches the value in the signed SHA256 hash file.
    • Linux and macOS:
      shasum -a 256 tarsnap-autoconf-1.0.40.tgz
    • FreeBSD:
      sha256 tarsnap-autoconf-1.0.40.tgz
    In either case, the displayed hash should match the one you saw in the gpg --decrypt command.

3. Compile the software

  • Extract the file and change into that directory.
    tar -xzf tarsnap-autoconf-1.0.40.tgz
    cd tarsnap-autoconf-1.0.40/
  • Configure Tarsnap for your system.
    ./configure
  • Compile Tarsnap.
    make all
  • Install (or upgrade) Tarsnap.
    On most systems (Linux, macOS, etc.)
    sudo make install
    Other systems (without sudo)
    su
    make install
    exit

After installing

If you are installing for the first time, we suggest that you proceed to Getting started with Tarsnap. If you are upgrading to a new version of Tarsnap, then no further action is required.