|
| 1 | +--- |
| 2 | +id: verify-installers |
| 3 | +title: Verify Installer Signatures |
| 4 | +sidebar_position: 6 |
| 5 | +--- |
| 6 | + |
| 7 | +# Verify Installer Signatures |
| 8 | + |
| 9 | +If you are not sure whether an alleged Cryptomator installer is legitimate, you can verify its authenticity and integrity. |
| 10 | + |
| 11 | +## GPG Signature {#gpg-signature} |
| 12 | + |
| 13 | +All Cryptomator release artifacts include a `.asc` signature file that you can use to verify authenticity and integrity using GPG. This method works on Windows, Linux, and macOS (with GPG installed). Download both the installer and the corresponding `.asc` signature file, then verify in the following steps: |
| 14 | + |
| 15 | +<Image src="/img/security/verify-gpg-signature.png" alt="How to verify GPG signatures" width="1272" height="379" /> |
| 16 | + |
| 17 | +1. Use `gpg --list-keys --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235` to make sure you have loaded the GPG key. If it is not available, download it from a keyserver e.g.: `gpg --keyserver keys.gnupg.net --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235` or another trusted source like from Cryptobot using Github `curl -sSL https://github.com/cryptobot.gpg | gpg --import -`. |
| 18 | +2. Use `gpg --verify <installer-file>.asc <installer-file>` to execute the verification process (replace `<installer-file>` with the actual filename of your downloaded installer). |
| 19 | + |
| 20 | +The message should say: |
| 21 | + |
| 22 | +3. `gpg: Good signature from "Cryptobot <[email protected]>"` |
| 23 | +4. `Primary key fingerprint: 5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235` |
| 24 | + |
| 25 | +If shown, you can ignore the following warning: |
| 26 | + |
| 27 | +`gpg: WARNING: This key is not certified with a trusted signature!` |
| 28 | + |
| 29 | +## Windows (exe) {#windows} |
| 30 | + |
| 31 | +Our Windows installers are signed using a code signing certificate. You can verify the signature in five simple steps: |
| 32 | + |
| 33 | +< Image src= "/img/security/verify-win-installer.png" srcset= " /img/security/verify-win-installer 1x, /img/security/[email protected] 2x" alt= "How to check the code signing certificate on Windows" width= "1316" height= "767" /> |
| 34 | + |
| 35 | +1. Right click on the file and click on Properties. |
| 36 | +2. Select the Digital Signatures tab: It should show a signature by `Skymatic GmbH`. |
| 37 | +3. Click on Details. |
| 38 | +4. Click on View Certificates. |
| 39 | +5. Click on Details. The serial number of our certificate should be: |
| 40 | + - For releases since July 14, 2022: `d77e4f8b938f56ae265cd08e9193490c` |
| 41 | + - For releases from July 3, 2019 to July 3, 2022: `63c45bff1a148d60ed2994d3a2639034` |
0 commit comments