GPG: How can I verify release signatures?


I want to verify the integrity of my download of cryptomator. I see an .asc file is attached but no public key is published. the public key a the contact page doesnt work for verifying releases.

  1. Search the keyservers for “Cryptomator”:
    gpg --search-keys "Cryptomator"

  2. Look for
    (2) Cryptobot (Release Manager) <> 4096 bit RSA key 509C9D6334C80F11, created: 2016-06-24, expires: 2021-12-31

  3. and import it:
    gpg --recv-keys 509C9D6334C80F11


Still a good hint, we should add a link to 509C9D6334C80F11 on the homepage.