I want to verify the integrity of my download of cryptomator. I see an .asc file is attached but no public key is published. the public key a the contact page doesnt work for verifying releases.
-
Search the keyservers for “Cryptomator”:
gpg --search-keys "Cryptomator"
-
Look for
(2) Cryptobot (Release Manager) <releases@cryptomator.org> 4096 bit RSA key 509C9D6334C80F11, created: 2016-06-24, expires: 2021-12-31
-
and import it:
gpg --recv-keys 509C9D6334C80F11
Still a good hint, we should add a link to 509C9D6334C80F11
on the homepage.
It seems the old key was revoked on 2020-08-18.
Here are more up to date instructions:
-
Search the keyservers for “Cryptomator”:
gpg --search-keys "Cryptomator"
-
Look for
(3) Cryptobot <releases@cryptomator.org> 4096 bit RSA key 0x615D449FE6E6A235, created : 2020-08-18
-
and import it:
gpg --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
To verify, you may use something like this (in a terminal):
gpg --verify cryptomator-1.6.17-x86_64.AppImage.asc cryptomator-1.6.17-x86_64.AppImage
this should produce something like:
gpg: Signature made Wed Dec 14 20:26:47 2022 CET
gpg: using RSA key 58117AFA1F85B3EEC154677D615D449FE6E6A235
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235
All this just ensures that subsequent releases of cryptomator are signed by a consistent key, but not exactly that the key is legit… as it isn’t signed by trustful sources, but at least that’s a first step.
Oh, and don’t take for granted what I posted here, as I’m not authoritative without any link to Cryptomator release people