Tarsnap - Online backups for the truly paranoid

Navigation menu

System preparation

Necessary software

Before you can compile Tarsnap, you need certain programs and libraries:

  • A C compiler (gcc or clang), make, system header files
  • OpenSSL (including header files)
  • zlib (including header files)
  • Linux only: the ext2fs/ext2_fs.h header
    • (which is NOT the same as the linux/ext2_fs.h header file)

On many UNIX systems all the necessary packages will already be present. We provide a few sample commands for installing the required software on systems which do not include them by default:

  • Debian, Ubuntu, and related Linux distributions:
    sudo apt-get install gcc libc6-dev make libssl-dev zlib1g-dev e2fslibs-dev
  • RedHat, CentOS, SuSE, Amazon Linux, and related Linux distributions:
    sudo yum install gcc make glibc-devel openssl-devel zlib-devel e2fsprogs-devel
  • Alpine Linux:
    sudo apk add gcc libc-dev make openssl openssl-dev zlib-dev e2fsprogs-dev
  • macOS: in addition to the normal build toolchain (probably installed via XCode), you need the OpenSSL development library. This could be installed manually, or via a package manager:

Download verification

We recommend that everybody verify any downloaded tarballs with GnuPG.

  • Download the Tarsnap 2025 code signing GPG key.
  • Optionally, verify the key:
    gpg --list-packets tarsnap-signing-key-2025.asc | grep signature
    :signature packet: algo 1, keyid D82E72039DF54C96
    :signature packet: algo 17, keyid 38CECA690C6A6A6E
    :signature packet: algo 1, keyid 3897F2E22E65AD3F
    The first keyid is the Tarsnap source code signing key, while the second and third are Colin Percival's keys (2009: 0x38CECA690C6A6A6E, 2023: 0x3897F2E22E65AD3F). These keyid values should match those on a public key server search for 0xD82E72039DF54C96.
  • Import the key. Older versions are signed with older keys.
    gpg --import tarsnap-signing-key-2025.asc
    Problem? signatures using the SHA1 algorithm are rejected

    If your version of gpg is 2.2.18 or later, you may see the warning:

    gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
    gpg: key D82E72039DF54C96: 1 bad signature

    This arises because Colin Percival's 2009 personal key (0x38CECA690C6A6A6E used SHA-1. His 2023 personal key (0x3897F2E22E65AD3F does not suffer from that problem, but since his old key has been signed by so many people, he used both to sign the 2025 tarsnap key.

    The code signing key itself uses SHA-256; you can check this with:

    gpg --list-packets tarsnap-signing-key-2025.asc | grep -B2 "digest algo"
    :signature packet: algo 1, keyid D82E72039DF54C96
    	version 4, created 1729712751, md5len 0, sigclass 0x13
    	digest algo 8, begin of digest d1 68
    --
    :signature packet: algo 17, keyid 38CECA690C6A6A6E
    	version 4, created 1729713563, md5len 0, sigclass 0x10
    	digest algo 2, begin of digest fb 85
    --
    :signature packet: algo 1, keyid 3897F2E22E65AD3F
    	version 4, created 1729713570, md5len 0, sigclass 0x10
    	digest algo 8, begin of digest 9b dd

    The digest algo 8 for keyid D82E72039DF54C96 and 3897F2E22E65AD3F indicates SHA-256, as specified in RFC 4880.

Installing or upgrading Tarsnap from source

These instructions are valid for installing or upgrading; upgrading simply overwrites the previous Tarsnap files.

1. Download the source tarball and signature

2. Verify the files

  • Verify the GPG signature on the SHA256 hash file using:
    gpg --decrypt tarsnap-sigs-1.0.40.asc
    Problem? This key is not certified with a trusted signature

    If your version of gpg is 2.2.18 or later, you may see the warning:

    gpg: Good signature from "Tarsnap source code signing key (Tarsnap Backup Inc.) <cperciva@tarsnap.com>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 6D6F 81DD 4C04 42A2 F292  FFCC D82E 7203 9DF5 4C96

    This arises because Colin Percival's 2009 personal key ( 0x38CECA690C6A6A6E used SHA-1. His 2023 personal key ( 0x3897F2E22E65AD3F does not suffer from that problem, but since his old key has been signed by so many people, he used both to sign the 2025 tarsnap key.

    The code signing key itself uses SHA-256; you can check this with:

    gpg --list-packets tarsnap-signing-key-2025.asc | grep -B2 "digest algo"
    :signature packet: algo 1, keyid D82E72039DF54C96
    	version 4, created 1729712751, md5len 0, sigclass 0x13
    	digest algo 8, begin of digest d1 68
    --
    :signature packet: algo 17, keyid 38CECA690C6A6A6E
    	version 4, created 1729713563, md5len 0, sigclass 0x10
    	digest algo 2, begin of digest fb 85
    --
    :signature packet: algo 1, keyid 3897F2E22E65AD3F
    	version 4, created 1729713570, md5len 0, sigclass 0x10
    	digest algo 8, begin of digest 9b dd

    The digest algo 8 for keyid D82E72039DF54C96 and 3897F2E22E65AD3F indicates SHA-256, as specified in RFC 4880.

  • Verify that the SHA256 hash of the tarball matches the value in the signed SHA256 hash file.
    • Linux and macOS:
      shasum -a 256 tarsnap-autoconf-1.0.40.tgz
    • FreeBSD:
      sha256 tarsnap-autoconf-1.0.40.tgz
    In either case, the displayed hash should match the one you saw in the gpg --decrypt command.

3. Compile the software

  • Extract the file and change into that directory.
    tar -xzf tarsnap-autoconf-1.0.40.tgz
    cd tarsnap-autoconf-1.0.40/
  • Configure Tarsnap for your system.
    ./configure
  • Compile Tarsnap.
    make all
  • Install (or upgrade) Tarsnap.
    On most systems (Linux, macOS, etc.)
    sudo make install
    Other systems (without sudo)
    su
    make install
    exit

After installing

If you are installing for the first time, we suggest that you proceed to Getting started with Tarsnap. If you are upgrading to a new version of Tarsnap, then no further action is required.