System preparation
Necessary software
Before you can compile Tarsnap, you need certain programs and libraries:
- A C compiler (gcc or clang), make, system header files
- OpenSSL (including header files)
- zlib (including header files)
-
Linux only: the
ext2fs/ext2_fs.h
header-
(which is NOT the same as the
linux/ext2_fs.h
header file)
-
(which is NOT the same as the
On many UNIX systems all the necessary packages will already be present. We provide a few sample commands for installing the required software on systems which do not include them by default:
-
Debian, Ubuntu, and related Linux distributions:
sudo apt-get install gcc libc6-dev make libssl-dev zlib1g-dev e2fslibs-dev
-
RedHat, CentOS, SuSE, Amazon Linux, and related Linux distributions:
sudo yum install gcc make glibc-devel openssl-devel zlib-devel e2fsprogs-devel
-
Alpine Linux:
sudo apk add gcc libc-dev make openssl openssl-dev zlib-dev e2fsprogs-dev
- macOS: in addition to the normal build toolchain (probably installed via XCode), you need the OpenSSL development library. This could be installed manually, or via a package manager:
Download verification
We recommend that everybody verify any downloaded tarballs with GnuPG.
- Download the Tarsnap 2025 code signing GPG key.
-
Optionally, verify the key:
gpg --list-packets tarsnap-signing-key-2025.asc | grep signature :signature packet: algo 1, keyid D82E72039DF54C96 :signature packet: algo 17, keyid 38CECA690C6A6A6E :signature packet: algo 1, keyid 3897F2E22E65AD3F
The first keyid is the Tarsnap source code signing key, while the second and third are Colin Percival's keys (2009:0x38CECA690C6A6A6E
, 2023:0x3897F2E22E65AD3F
). These keyid values should match those on a public key server search for 0xD82E72039DF54C96. -
Import the key. Older versions are signed with
older keys.
gpg --import tarsnap-signing-key-2025.asc
Problem? signatures using the SHA1 algorithm are rejected
If your version of
gpg
is 2.2.18 or later, you may see the warning:gpg: Note: third-party key signatures using the SHA1 algorithm are rejected gpg: key D82E72039DF54C96: 1 bad signature
This arises because Colin Percival's 2009 personal key (0x38CECA690C6A6A6E used SHA-1. His 2023 personal key (0x3897F2E22E65AD3F does not suffer from that problem, but since his old key has been signed by so many people, he used both to sign the 2025 tarsnap key.
The code signing key itself uses SHA-256; you can check this with:
gpg --list-packets tarsnap-signing-key-2025.asc | grep -B2 "digest algo" :signature packet: algo 1, keyid D82E72039DF54C96 version 4, created 1729712751, md5len 0, sigclass 0x13 digest algo 8, begin of digest d1 68 -- :signature packet: algo 17, keyid 38CECA690C6A6A6E version 4, created 1729713563, md5len 0, sigclass 0x10 digest algo 2, begin of digest fb 85 -- :signature packet: algo 1, keyid 3897F2E22E65AD3F version 4, created 1729713570, md5len 0, sigclass 0x10 digest algo 8, begin of digest 9b dd
The
digest algo 8
for keyid D82E72039DF54C96 and 3897F2E22E65AD3F indicates SHA-256, as specified in RFC 4880.
Installing or upgrading Tarsnap from source
These instructions are valid for installing or upgrading; upgrading simply overwrites the previous Tarsnap files.
1. Download the source tarball and signature
- If you have not done so already, download the source tarball and signed SHA256 hash file from the Tarsnap source download page.
2. Verify the files
-
Verify the GPG signature on the SHA256 hash file using:
gpg --decrypt tarsnap-sigs-1.0.40.asc
Problem? This key is not certified with a trusted signature
If your version of
gpg
is 2.2.18 or later, you may see the warning:gpg: Good signature from "Tarsnap source code signing key (Tarsnap Backup Inc.) <cperciva@tarsnap.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6D6F 81DD 4C04 42A2 F292 FFCC D82E 7203 9DF5 4C96
This arises because Colin Percival's 2009 personal key ( 0x38CECA690C6A6A6E used SHA-1. His 2023 personal key ( 0x3897F2E22E65AD3F does not suffer from that problem, but since his old key has been signed by so many people, he used both to sign the 2025 tarsnap key.
The code signing key itself uses SHA-256; you can check this with:
gpg --list-packets tarsnap-signing-key-2025.asc | grep -B2 "digest algo" :signature packet: algo 1, keyid D82E72039DF54C96 version 4, created 1729712751, md5len 0, sigclass 0x13 digest algo 8, begin of digest d1 68 -- :signature packet: algo 17, keyid 38CECA690C6A6A6E version 4, created 1729713563, md5len 0, sigclass 0x10 digest algo 2, begin of digest fb 85 -- :signature packet: algo 1, keyid 3897F2E22E65AD3F version 4, created 1729713570, md5len 0, sigclass 0x10 digest algo 8, begin of digest 9b dd
The
digest algo 8
for keyid D82E72039DF54C96 and 3897F2E22E65AD3F indicates SHA-256, as specified in RFC 4880. -
Verify that the SHA256 hash of the tarball matches the value in
the signed SHA256 hash file.
-
Linux and macOS:
shasum -a 256 tarsnap-autoconf-1.0.40.tgz
-
FreeBSD:
sha256 tarsnap-autoconf-1.0.40.tgz
gpg --decrypt
command. -
Linux and macOS:
3. Compile the software
-
Extract the file and change into that directory.
tar -xzf tarsnap-autoconf-1.0.40.tgz
cd tarsnap-autoconf-1.0.40/
-
Configure Tarsnap for your system.
./configure
-
Compile Tarsnap.
make all
-
Install (or upgrade) Tarsnap.
After installing
If you are installing for the first time, we suggest that you proceed to Getting started with Tarsnap. If you are upgrading to a new version of Tarsnap, then no further action is required.