GPG: How can I verify release signatures?

Knowledge Base FAQ
#1

I want to verify the integrity of my download of cryptomator. I see an .asc file is attached but no public key is published. the public key a the contact page doesnt work for verifying releases.

Where is Cryptomator's public PGP key?
#2

  1. Search the keyservers for “Cryptomator”:
    gpg --search-keys "Cryptomator"

  2. Look for
    (2) Cryptobot (Release Manager) <releases@cryptomator.org> 4096 bit RSA key 509C9D6334C80F11, created: 2016-06-24, expires: 2021-12-31

  3. and import it:
    gpg --recv-keys 509C9D6334C80F11

#3

Still a good hint, we should add a link to 509C9D6334C80F11 on the homepage.

#4

It seems the old key was revoked on 2020-08-18.

Here are more up to date instructions:

  1. Search the keyservers for “Cryptomator”:
    gpg --search-keys "Cryptomator"

  2. Look for
    (3) Cryptobot <releases@cryptomator.org> 4096 bit RSA key 0x615D449FE6E6A235, created : 2020-08-18

  3. and import it:
    gpg --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235

3 Likes
#5

To verify, you may use something like this (in a terminal):
gpg --verify cryptomator-1.6.17-x86_64.AppImage.asc cryptomator-1.6.17-x86_64.AppImage

this should produce something like:

gpg: Signature made Wed Dec 14 20:26:47 2022 CET
gpg:                using RSA key 58117AFA1F85B3EEC154677D615D449FE6E6A235
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235

All this just ensures that subsequent releases of cryptomator are signed by a consistent key, but not exactly that the key is legit… as it isn’t signed by trustful sources, but at least that’s a first step.

Oh, and don’t take for granted what I posted here, as I’m not authoritative without any link to Cryptomator release people :wink:

3 Likes
#6

That is just how GPG works. If you haven’t signed our public key yourself, maybe somebody else did, whom you trust. If there is no signature path leading from your key to ours, you can not know whether the key is authentic.

Thanks for pointing that out! The key 5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235 is indeed ours. We have also published it in this Gist, which is owned cryptobot, who creates our releases on GitHub.