Skip to content

Verifying Signatures

Miguel Jacq edited this page May 7, 2019 · 5 revisions

If you are downloading OnionShare on MacOS or Windows, you should also download the GPG signature to verify the integrity of the package.

How are the binaries signed?

The MacOS and Windows packages are signed by Micah Lee, the core developer, using his GPG key (0x403C2657CD994F73). This creates a signature file, ending in .asc, which can prove that the package was signed by Micah using his key.

Where do I get Micah's GPG key?

You can obtain Micah's GPG key from Keybase, or from his website, or from a keyserver (see command line examples below).

MacOS

On a Mac, assuming you have GPG Suite installed, you can also import the GPG key from a keyserver into your keychain via the command line:

gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys 0x403C2657CD994F73

Windows

On Windows, assuming you have gpg4win installed, you can also import the GPG key from a keyserver into your keychain via the command line:

gpg.exe --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys 0x403C2657CD994F73

Where do I get the signature for my package?

They should be linked on the front page of https://onionshare.org, beneath where you downloaded the package. If not, you can find them listed under https://onionshare.org/dist/, under the relevant version number of your package.

We recommend you use Tor Browser to view the OnionShare via its .onion address for added integrity. Micah has also signed the validity of the .onion address!

The signatures, along with the binaries, are also available on the Github 'Releases' page.

How do I verify the signature?

Once you have imported Micah's key into your keychain, downloaded the binary, and downloaded the .asc signature, you can verify the binary via the command line like so:

MacOS

gpg --verify OnionShare-2.pkg.asc OnionShare-2.pkg

Windows

gpg.exe --verify OnionShare-2.pkg.asc OnionShare-2.pkg

An expected output might look like this:

gpg: Signature made Tue 19 Feb 2019 09:25:28 AM AEDT using RSA key ID CD994F73
gpg: Good signature from "Micah Lee <micah@micahflee.com>"
gpg:                 aka "Micah Lee <micah@firstlook.org>"
gpg:                 aka "Micah Lee <micah@freedom.press>"
gpg:                 aka "Micah Lee <micah.lee@firstlook.org>"
gpg:                 aka "Micah Lee <micah.lee@theintercept.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 927F 419D 7EC8 2C2F 149C  1BD1 403C 2657 CD99 4F73

If you don't see 'Good signature from', then there might be a problem with the integrity of the file (malicious or otherwise), and you perhaps should not install the package.

The WARNING shown above, is not a problem with the package: it only means you have not defined any level of 'trust' regarding Micah's GPG key itself.

How does this prove that it was Micah who signed the binary?

GPG relies on the premise that you trust that Micah is the real owner of the above GPG key. Providing this trust is not possible via OnionShare, but by the 'web of trust', or if you've been given Micah's public key personally, or by someone you trust, who trusts the key.

Using or participating in the GPG web of trust is beyond the scope of this wiki. Many online guides exist.

Other online guides regarding verifying GPG signatures such as that at Qubes OS and the Tor Project may also be of use.

You can’t perform that action at this time.