All releases are signed using Romain Vimont's GPG key (raw):
$ curl -s https://blog.rom1v.com/keys/rom1v.asc | gpg --show-keys --with-fingerprint --with-subkey-fingerprints
pub rsa4096 2021-03-15 [C]
4569 58E8 5A18 5DD5 C2D1 E4E8 0C82 2B29 8461 FA03
uid Romain Vimont <rom@rom1v.com>
sub rsa4096 2021-03-15 [S] [expires: 2030-05-14]
E39E 2DE6 A55F 5AA6 D8EF B79A CA01 F46F 1868 3B3D
sub rsa4096 2021-03-15 [E] [expires: 2030-05-14]
2C86 255E 6D65 241D 8248 F1B3 F212 10AE 292B 63D1
sub rsa4096 2021-03-15 [A] [expires: 2030-05-14]
1782 0F23 CB1D 1921 5572 6FAD 0F0B 58E1 3784 09AA# import the key
curl -s https://blog.rom1v.com/keys/rom1v.asc | gpg --import
# alternatively, the key can be retrieved from a key server
gpg --keyserver hkps://keys.openpgp.org --recv-keys 456958E85A185DD5C2D1E4E80C822B298461FA03
# verify the key fingerprint
gpg --fingerprint 456958E85A185DD5C2D1E4E80C822B298461FA03For each release, two additional files are published:
SHA256SUMS.txt: the SHA-256 checksumsSHA256SUMS.txt.asc: the signature of the checksums
To verify a release, two steps are required.
First, verify the signature of the checksums:
# SHA256SUMS.txt must be in the same directory
gpg --verify SHA256SUMS.txt.ascFor example:
$ gpg --verify SHA256SUMS.txt.asc
gpg: assuming signed data in 'SHA256SUMS.txt'
gpg: Signature made Wed Dec 17 20:16:30 2025 CET
gpg: using RSA key E39E2DE6A55F5AA6D8EFB79ACA01F46F18683B3D
gpg: Good signature from "Romain Vimont <rom@rom1v.com>" [ultimate]Then verify the release checksums:
# the release files must be in the same directory
shasum -a 256 -c SHA256SUMS.txtFor example:
$ shasum -a 256 -c SHA256SUMS.txt
scrcpy-server-v3.3.4: OK
scrcpy-linux-x86_64-v3.3.4.tar.gz: OK
scrcpy-win32-v3.3.4.zip: OK
scrcpy-win64-v3.3.4.zip: OK
scrcpy-macos-aarch64-v3.3.4.tar.gz: OK
scrcpy-macos-x86_64-v3.3.4.tar.gz: OK