Necessary software

Before you can compile Tarsnap, you need certain programs and libraries:

• A C compiler (gcc or clang), make, system header files
• OpenSSL (including header files)
• zlib (including header files)
• Linux only: the ext2fs/ext2_fs.h header
  • (which is NOT the same as the linux/ext2_fs.h header file)

On many UNIX systems all the necessary packages will already be present. We provide a few sample commands for installing the required software on systems which do not include them by default:

• Debian, Ubuntu, and related Linux distributions:

  sudo apt-get install gcc libc6-dev make libssl-dev zlib1g-dev e2fslibs-dev

• RedHat, CentOS, SuSE, Amazon Linux, and related Linux distributions:

  sudo yum install gcc make glibc-devel openssl-devel zlib-devel e2fsprogs-devel

• Alpine Linux:

  sudo apk add gcc libc-dev make openssl openssl-dev zlib-dev e2fsprogs-dev

• macOS: in addition to the normal build toolchain (probably installed via XCode), you need the OpenSSL development library. This could be installed manually, or via a package manager:
  • Homebrew:

    brew install openssl

  • MacPorts:

    sudo port install openssl

Download verification

We recommend that everybody verify any downloaded tarballs with GnuPG.

• Download the Tarsnap 2025 code signing GPG key.
• Optionally, verify the key:

  gpg --list-packets tarsnap-signing-key-2025.asc | grep signature
  :signature packet: algo 1, keyid D82E72039DF54C96
  :signature packet: algo 17, keyid 38CECA690C6A6A6E
  :signature packet: algo 1, keyid 3897F2E22E65AD3F

  The first keyid is the Tarsnap source code signing key, while the second and third are Colin Percival's keys (2009: 0x38CECA690C6A6A6E, 2023: 0x3897F2E22E65AD3F). These keyid values should match those on a public key server search for 0xD82E72039DF54C96.
• Import the key. Older versions are signed with older keys.

  gpg --import tarsnap-signing-key-2025.asc

  Problem? signatures using the SHA1 algorithm are rejected

  If your version of gpg is 2.2.18 or later, you may see the warning:

  gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
  gpg: key D82E72039DF54C96: 1 bad signature

  This arises because Colin Percival's 2009 personal key (0x38CECA690C6A6A6E used SHA-1. His 2023 personal key (0x3897F2E22E65AD3F does not suffer from that problem, but since his old key has been signed by so many people, he used both to sign the 2025 tarsnap key.

  The code signing key itself uses SHA-256; you can check this with:

  gpg --list-packets tarsnap-signing-key-2025.asc | grep -B2 "digest algo"
  :signature packet: algo 1, keyid D82E72039DF54C96
  	version 4, created 1729712751, md5len 0, sigclass 0x13
  	digest algo 8, begin of digest d1 68
  --
  :signature packet: algo 17, keyid 38CECA690C6A6A6E
  	version 4, created 1729713563, md5len 0, sigclass 0x10
  	digest algo 2, begin of digest fb 85
  --
  :signature packet: algo 1, keyid 3897F2E22E65AD3F
  	version 4, created 1729713570, md5len 0, sigclass 0x10
  	digest algo 8, begin of digest 9b dd

  The digest algo 8 for keyid D82E72039DF54C96 and 3897F2E22E65AD3F indicates SHA-256, as specified in RFC 4880.

These instructions are valid for installing or upgrading; upgrading simply overwrites the previous Tarsnap files.

1. Download the source tarball and signature

• If you have not done so already, download the source tarball and signed SHA256 hash file from the Tarsnap source download page.

2. Verify the files

• Verify the GPG signature on the SHA256 hash file using:

  gpg --decrypt tarsnap-sigs-1.0.40.asc

  Problem? This key is not certified with a trusted signature

  If your version of gpg is 2.2.18 or later, you may see the warning:

  gpg: Good signature from "Tarsnap source code signing key (Tarsnap Backup Inc.) <cperciva@tarsnap.com>" [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 6D6F 81DD 4C04 42A2 F292  FFCC D82E 7203 9DF5 4C96

  This arises because Colin Percival's 2009 personal key ( 0x38CECA690C6A6A6E used SHA-1. His 2023 personal key ( 0x3897F2E22E65AD3F does not suffer from that problem, but since his old key has been signed by so many people, he used both to sign the 2025 tarsnap key.

  The code signing key itself uses SHA-256; you can check this with:

  gpg --list-packets tarsnap-signing-key-2025.asc | grep -B2 "digest algo"
  :signature packet: algo 1, keyid D82E72039DF54C96
  	version 4, created 1729712751, md5len 0, sigclass 0x13
  	digest algo 8, begin of digest d1 68
  --
  :signature packet: algo 17, keyid 38CECA690C6A6A6E
  	version 4, created 1729713563, md5len 0, sigclass 0x10
  	digest algo 2, begin of digest fb 85
  --
  :signature packet: algo 1, keyid 3897F2E22E65AD3F
  	version 4, created 1729713570, md5len 0, sigclass 0x10
  	digest algo 8, begin of digest 9b dd

  The digest algo 8 for keyid D82E72039DF54C96 and 3897F2E22E65AD3F indicates SHA-256, as specified in RFC 4880.

• Verify that the SHA256 hash of the tarball matches the value in the signed SHA256 hash file.
  • Linux and macOS:

    shasum -a 256 tarsnap-autoconf-1.0.40.tgz

  • FreeBSD:

    sha256 tarsnap-autoconf-1.0.40.tgz

  In either case, the displayed hash should match the one you saw in the gpg --decrypt command.

3. Compile the software

• Extract the file and change into that directory.

  tar -xzf tarsnap-autoconf-1.0.40.tgz

  cd tarsnap-autoconf-1.0.40/

• Configure Tarsnap for your system.

  ./configure

• Compile Tarsnap.

  make all

• Install (or upgrade) Tarsnap.

  On most systems (Linux, macOS, etc.)

  sudo make install

  Other systems (without sudo)

  su

  make install

  exit

If you are installing for the first time, we suggest that you proceed to Getting started with Tarsnap. If you are upgrading to a new version of Tarsnap, then no further action is required.