GPG: How can I verify release signatures?

jmliz · 2019-04-11 21:41:34 UTC

I want to verify the integrity of my download of cryptomator. I see an .asc file is attached but no public key is published. the public key a the contact page doesnt work for verifying releases.

infeo · 2019-04-12 00:06:33 UTC

Search the keyservers for “Cryptomator”:
gpg --search-keys "Cryptomator"
Look for
(2) Cryptobot (Release Manager) <releases@cryptomator.org> 4096 bit RSA key 509C9D6334C80F11, created: 2016-06-24, expires: 2021-12-31
and import it:
gpg --recv-keys 509C9D6334C80F11

overheadhunter · 2019-04-12 13:20:07 UTC

Still a good hint, we should add a link to 509C9D6334C80F11 on the homepage.