GPG: How can I verify release signatures?

I want to verify the integrity of my download of cryptomator. I see an .asc file is attached but no public key is published. the public key a the contact page doesnt work for verifying releases.

  1. Search the keyservers for “Cryptomator”:
    gpg --search-keys "Cryptomator"

  2. Look for
    (2) Cryptobot (Release Manager) <releases@cryptomator.org> 4096 bit RSA key 509C9D6334C80F11, created: 2016-06-24, expires: 2021-12-31

  3. and import it:
    gpg --recv-keys 509C9D6334C80F11

Still a good hint, we should add a link to 509C9D6334C80F11 on the homepage.

It seems the old key was revoked on 2020-08-18.

Here are more up to date instructions:

  1. Search the keyservers for “Cryptomator”:
    gpg --search-keys "Cryptomator"

  2. Look for
    (3) Cryptobot <releases@cryptomator.org> 4096 bit RSA key 0x615D449FE6E6A235, created : 2020-08-18

  3. and import it:
    gpg --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235

3 Likes

To verify, you may use something like this (in a terminal):
gpg --verify cryptomator-1.6.17-x86_64.AppImage.asc cryptomator-1.6.17-x86_64.AppImage

this should produce something like:

gpg: Signature made Wed Dec 14 20:26:47 2022 CET
gpg:                using RSA key 58117AFA1F85B3EEC154677D615D449FE6E6A235
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235

All this just ensures that subsequent releases of cryptomator are signed by a consistent key, but not exactly that the key is legit… as it isn’t signed by trustful sources, but at least that’s a first step.

Oh, and don’t take for granted what I posted here, as I’m not authoritative without any link to Cryptomator release people :wink:

3 Likes