Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
150 lines (125 sloc) 8.75 KB
---
layout: pages
title: "Verifying Signatures"
permalink: verifying-signatures
---
<div id="verify-signatures">
<p>By verifying the signatures of KeePassXC releases, you can prove the <strong>authenticity</strong> and
<strong>integrity</strong> of the downloaded file.
This guarantees that the file you just downloaded was originally created by the KeePassXC Team and that its
contents haven't been tampered with on the way.</p>
<p>A more detailed explanation is available in the <a href="https://www.qubes-os.org/doc/verifying-signatures/">Qubes-OS
project documentation</a>.</p>
</div>
<div id="how-to-verify-signatures">
<h4>Download Options</h4>
<p>Every KeePassXC release is published in a variety of package formats:</p>
<ul>
<li>a <em>*.dmg</em> drag-and-drop installer for macOS</li>
<li>an <em>*.exe</em> installer and a <em>*.zip</em> archive with binaries for Windows</li>
<li>a self-contained executable <em>*.AppImage</em> for GNU/Linux.</li>
<li>a <em>*.tar.xz</em> source tarball</li>
</ul>
<p>Each of these package files has two related sidecar files, a <em>*.DIGEST</em> and a <em>*.sig</em>
that need to be downloaded to the same directory in order for verification to succeed.</p>
<h4>Basic integrity check - Linux/macOS</h4>
<p>Open a terminal window and change directory to the folder you downloaded the files to, e.g. <code>cd /home/username/Downloads</code></p>
<p>The <em>*.DIGEST</em> file can be used to check your package downloaded correctly,
with the following command:</p>
<pre><code>$ shasum -a 256 -c KeePassXC-$VERSION-x86_64.AppImage.DIGEST
KeePassXC-$VERSION-x86_64.AppImage: OK</code></pre>
<p>The <code>shasum</code> program recalculates the SHA-256 hash digest of the package file
and compares it with the value in the <em>.DIGEST</em> file. If they match, this shows the package
was downloaded without errors.</p>
<h4>Basic integrity check - Windows</h4>
<p>Open a PowerShell window (WIN+R, type in <em>powershell</em>, press &lt;enter&gt;) and
change directory to the folder you downloaded the files to, e.g. <code>cd C:\Users\username\Downloads</code></p>
<p>Copy/Paste the following command into the PowerShell window:</p>
<pre><code>(Get-FileHash .\KeePassXC-$VERSION-Win64.exe).Hash -eq (Get-Content .\KeePassXC-$VERSION-Win64.exe.DIGEST).split(" ")[0].ToUpper()</code></pre>
<p>You should see <code>True</code> appear, if not then the download is invalid or your files are not together.</p>
<h4>Verifying Releases - Windows</h4>
<p>The Windows installation file (exe or msi) is protected by authenticode signature, this means that <strong>authenticity and integrity</strong>
checks are verified directly by Windows when you run the program.</p>
<p>You should see the following dialog with <strong>DroidMonkey Apps, LLC</strong> as the verified publisher:</p>
<p><img src="/images/KeePassXC_UAC.png"></p>
<p>To verify a zip file, you must download <a href="https://www.gpg4win.org/" target="_blank">Gpg4win</a> and use the directions below in a Windows Command Prompt.</p>
<h4>Checking integrity and <em>authenticity</em> - Linux/macOS, Windows ZIP</h4>
<p>A more thorough check can be made using the <em>*.sig</em> sidecar file.
This contains an OpenPGP (GPG) <em>signature</em> created with one of our <em>release keys</em>.
Signing the installable file with any other key will give a different signature,
so you can use the signature and our public key to check the package file really came from us.</p>
<h4>Importing the Public Master Key</h4>
<p>We will use the <code>gpg</code> program to check the signatures.
Before you can do that you need to tell <code>gpg</code> about our public key,
by <em>importing</em> it.
</p>
<p>The KeePassXC public key can be retrieved in any of the ways shown below:</p>
<strong>From a specific keyserver</strong>
<pre><code>gpg --keyserver pool.sks-keyservers.net --recv-keys 0xBF5A669F2272CF4324C1FDA8CFB4C2166397D0D2</code></pre>
<strong>Manual download from <a href="{{ site.baseurl }}/keepassxc_master_signing_key.asc">our website</a> and import
with gpg</strong>
<pre><code>gpg --import ./keepassxc_master_signing_key.asc</code></pre>
<strong>Fetch via gpg</strong>
<pre><code>gpg --fetch-keys https://keepassxc.org/keepassxc_master_signing_key.asc</code></pre>
<strong>Manual download from the
<a href="https://github.com/keepassxreboot/keepassxreboot.github.io/blob/master/keepassxc_master_signing_key.asc">KeePassXC
website repository</a> and import with gpg</strong>
<pre><code>gpg --import ./keepassxc_master_signing_key.asc</code></pre>
<p>These are the fingerprints of the master key and the current signing sub keys:</p>
<div><pre><code>pub rsa4096/CFB4C2166397D0D2 2017-01-03 [SC]
Key fingerprint = BF5A 669F 2272 CF43 24C1 FDA8 CFB4 C216 6397 D0D2
uid [ unknown ] KeePassXC Release &lt;<span class="eobfs">release 'AT` keepassxc ^DOT' org</span>&gt;
sub rsa2048/AFF235EEFB5A2517 2017-01-03 [S] [expires: 2019-01-03]
sub rsa2048/D8538E98A26FD9C4 2017-01-03 [S] [expires: 2019-01-03]
sub rsa2048/B7A66F03B59076A8 2017-01-03 [S] [expires: 2019-01-03]</code></pre>
</div>
<p>Notice that we have a <em>master</em> key and some <em>sub</em> keys.
The actual signatures are created with one of the <em>sub keys</em>.
As the naming implies, they are closely related to one another -
importing the master PGP key is sufficient for verifying signatures
made with any of its sub keys.
</p>
<p>Once you have imported the key, you can decide whether you want to mark it as <em>trusted</em>.
This is not strictly necessary for the checks we are making here. For more information, see the
<a href="https://www.qubes-os.org/doc/verifying-signatures/">Qubes-OS project documentation</a>.
</p>
<h4>Verifying Releases - Linux/macOS</h4>
<p>You can verify the <strong>authenticity and integrity</strong> of a downloaded package from its detached
signature by running the following command:</p>
<pre><code>$ gpg --verify KeePassXC-$VERSION-x86_64.AppImage.sig
gpg: assuming signed data in 'KeePassXC-$VERSION-x86_64.AppImage'
gpg: Signature made Fri 17 Feb 2017 05:20:55 PM CET
gpg: using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8
gpg: Good signature from "KeePassXC Release &lt;<span
class="eobfs">release 'AT` keepassxc ^DOT' org</span>&gt;" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF5A 669F 2272 CF43 24C1 FDA8 CFB4 C216 6397 D0D2
Subkey fingerprint: C1E4 CBA3 AD78 D3AF D894 F9E0 B7A6 6F03 B590 76A8</code></pre>
<p>You want to see that "Good signature" line. It shows the .sig file must have been created from
the AppImage file by the sub key with the fingerprint <code>C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8</code>.
</p>
<p>The warning is there because in this example we have not taken the extra step of <em>trusting</em> that key.
</p>
<h4>Verifying Releases - Windows ZIP</h4>
<p>You can verify the <strong>authenticity and integrity</strong> of the Windows ZIP file by running the following command in the Windows Command Prompt:</p>
<pre><code>gpg --verify KeePassXC-$VERSION-Win64-Portable.zip.sig
gpg: assuming signed data in 'KeePassXC-$VERSION-Win64-Portable.zip'
gpg: Signature made Fri 17 Feb 2017 05:20:55 PM CET
gpg: using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8
gpg: Good signature from "KeePassXC Release &lt;<span
class="eobfs">release 'AT` keepassxc ^DOT' org</span>&gt;" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF5A 669F 2272 CF43 24C1 FDA8 CFB4 C216 6397 D0D2
Subkey fingerprint: C1E4 CBA3 AD78 D3AF D894 F9E0 B7A6 6F03 B590 76A8</code></pre>
<p>You want to see that "Good signature" line. It shows the .sig file must have been created from
the Windows ZIP file by the sub key with the fingerprint <code>C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8</code>.
</p>
<p>The warning is there because in this example we have not taken the extra step of <em>trusting</em> that key.
</p>
<h4>Verification fails!</h4>
<p>Don't install the package. First, try downloading again and rechecking. If it is still not working,
please let us know about the problem by opening an <a href="https://github.com/keepassxreboot/keepassxc/issues">issue</a>.
</p>
</div>