If you are downloading OnionShare on MacOS or Windows, you should also download the GPG signature to verify the integrity of the package.
How are the binaries signed?
The MacOS and Windows packages are signed by Micah Lee, the core developer, using his GPG key (
0x403C2657CD994F73). This creates a signature file, ending in
.asc, which can prove that the package was signed by Micah using his key.
Where do I get Micah's GPG key?
On a Mac, assuming you have GPG Suite installed, you can also import the GPG key from a keyserver into your keychain via the command line:
gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys 0x403C2657CD994F73
On Windows, assuming you have gpg4win installed, you can also import the GPG key from a keyserver into your keychain via the command line:
gpg.exe --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys 0x403C2657CD994F73
Where do I get the signature for my package?
They should be linked on the front page of https://onionshare.org, beneath where you downloaded the package. If not, you can find them listed under https://onionshare.org/dist/, under the relevant version number of your package.
The signatures, along with the binaries, are also available on the Github 'Releases' page.
How do I verify the signature?
Once you have imported Micah's key into your keychain, downloaded the binary, and downloaded the .asc signature, you can verify the binary via the command line like so:
gpg --verify OnionShare-2.pkg.asc OnionShare-2.pkg
gpg.exe --verify OnionShare-2.pkg.asc OnionShare-2.pkg
An expected output might look like this:
gpg: Signature made Tue 19 Feb 2019 09:25:28 AM AEDT using RSA key ID CD994F73 gpg: Good signature from "Micah Lee <email@example.com>" gpg: aka "Micah Lee <firstname.lastname@example.org>" gpg: aka "Micah Lee <email@example.com>" gpg: aka "Micah Lee <firstname.lastname@example.org>" gpg: aka "Micah Lee <email@example.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 927F 419D 7EC8 2C2F 149C 1BD1 403C 2657 CD99 4F73
If you don't see 'Good signature from', then there might be a problem with the integrity of the file (malicious or otherwise), and you perhaps should not install the package.
The WARNING shown above, is not a problem with the package: it only means you have not defined any level of 'trust' regarding Micah's GPG key itself.
How does this prove that it was Micah who signed the binary?
GPG relies on the premise that you trust that Micah is the real owner of the above GPG key. Providing this trust is not possible via OnionShare, but by the 'web of trust', or if you've been given Micah's public key personally, or by someone you trust, who trusts the key.
Using or participating in the GPG web of trust is beyond the scope of this wiki. Many online guides exist.