GPG: How can I verify release signatures?


#1

I want to verify the integrity of my download of cryptomator. I see an .asc file is attached but no public key is published. the public key a the contact page doesnt work for verifying releases.


#2
  1. Search the keyservers for “Cryptomator”:
    gpg --search-keys "Cryptomator"

  2. Look for
    (2) Cryptobot (Release Manager) <releases@cryptomator.org> 4096 bit RSA key 509C9D6334C80F11, created: 2016-06-24, expires: 2021-12-31

  3. and import it:
    gpg --recv-keys 509C9D6334C80F11


#3

Still a good hint, we should add a link to 509C9D6334C80F11 on the homepage.