Validate software

To help protect IT infrastructures, you can validate software packages that you download to ensure that they are free of tampering. You can also validate digital signatures that are applied to software packages.

Validate download integrity

Software validation involves the provision of a separate file that helps to confirm that the downloaded file matches the file on the download portal. Typically, a cryptographic protocol such as SHA-512 is used.

• For the JRebel stand-alone compressed file, you can find version-specific SHA1 checksums at: https://dl.zeroturnaround.com/jrebel/jrebel-2025.3.0-nosetup.zip.sha1

• For the on-premises license server, you can find version-specific SHA1 checksums at: https://dl.zeroturnaround.com/license-server/license-server-4.0.0.zip.sha1

• For the XRebel stand-alone compressed file, you can find version-specific SHA1 checksums at: https://dl.zeroturnaround.com/xrebel/xrebel-2025.2.1.zip.sha1

When possible, install IDE plugins through IDE-specific channels. For example, if you are using JetBrains, start by going to the JetBrains Marketplace.

Validate digital signatures

Digitally signing software involves the use of cryptographic keys, where the private key is used to sign the software package, and the public key is used to validate the signature. The process helps to ensure that the software was not altered since it was signed and comes from a trusted source.

The following JRebel software packages are digitally signed:

• JRebel Agent

  • For the JVM native agent, macOS and Microsoft Windows libraries are signed with a P4 certificate.

• JRebel IDE plugin (JAR file)

  • For Eclipse, the plugin is digitally signed with a P4 certificate and is verified by Eclipse.

  • For Apache NetBeans, the open-source installer plugin is digitally signed with a P4 certificate.