Skip to content

How to check installer signatures #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

How to check installer signatures #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1ea8c25
How to verify exe signature on Windows
overheadhunter Apr 21, 2021
d5750ef
How to verify AppImage signature on Linux
SailReal Feb 11, 2022
77a8616
Add a second source to retrieve the GPG key from (Cryptobot on Github)
SailReal Mar 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added source/img/security/verify-installer-linux-modified.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added source/img/security/[email protected]
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added source/img/security/verify-installer-win.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added source/img/security/[email protected]
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions source/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ If you are interested in the security of Cryptomator, have a look at our :ref:`s
security/security-target.rst
security/architecture.rst
security/best-practices.rst
security/verify-installers.rst

.. toctree::
:hidden:
Expand Down
48 changes: 48 additions & 0 deletions source/security/verify-installers.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
Verify Installer Signatures
===========================

If you are not sure whether an alleged Cryptomator installer is legitimate, you can verify its authenticity and integrity.


.. _security/verify-installers/linux:

Linux (AppImage)
-------------

Using the `AppImage.asc` signature file, you can check the authenticity and integrity of the `AppImage` file. First download both files and verify it in following four simple steps:

.. image:: ../img/security/[email protected]
:alt: How to check the code signing certificate on Linux
:width: 1316px
:align: center

#. Use ``gpg --list-keys --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235`` to make sure you have loaded the GPG key. If it is not available, download it from a keyserver e.g.: ``gpg --keyserver keys.gnupg.net --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235`` or another trusted source like from Cryptobot using Github ``curl -sSL https://github.com/cryptobot.gpg | gpg --import -``.

#. Use ``gpg --verify cryptomator-*.AppImage.asc cryptomator-*.AppImage`` to execute the verification process (replace ``*`` with the downloaded version).

The message should say:

3. ``gpg: Good signature from "Cryptobot <[email protected]>"``
4. ``Primary key fingerprint: 5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235``

If shown, you can ignore the following warning:

``gpg: WARNING: This key is not certified with a trusted signature!``

.. _security/verify-installers/windows:

Windows (exe)
-------------

Our Windows installers are signed using a code signing certificate. You can verify the signature in five simple steps:

.. image:: ../img/security/[email protected]
:alt: How to check the code signing certificate on Windows
:width: 1316px
:align: center

#. Right click on the file and click on Properties.
#. Select the Digital Signatures tab: It should show a signature by ``Skymatic GmbH``.
#. Click on Details.
#. Click on View Certificates.
#. Click on Details. The serial number of our certificate should be ``63c45bff1a148d60ed2994d3a2639034``.