# Cryptomator Installation Verification Guide

## 🔐 Verify Before Installing

**ALWAYS verify cryptographic signatures and checksums before installing security software!**

### Step 1: Download Files

Download both the .deb package AND the .asc signature file from:
https://github.com/cryptomator/cryptomator/releases

Example for version 1.18.0:
```bash
wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb
wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb.asc
```

### Step 2: Import Cryptomator GPG Key

```bash
# Import the official Cryptomator release key
gpg --keyserver keyserver.ubuntu.com --recv-keys 615D449FE6E6A235

# Verify the fingerprint matches official:
gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235
```

**Expected fingerprint:**
```
5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235
```

**If the fingerprint doesn't match, DO NOT INSTALL!**

### Step 3: Verify SHA256 Checksum

Get the SHA256 from the GitHub release page, then verify:

```bash
sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb"
```

Expected output:
```
cryptomator_1.18.0-0ppa1_amd64.deb: OK
```

### Step 4: Verify GPG Signature

```bash
gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb
```

Expected output:
```
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
```

**The "unknown" trust is fine** - it just means you haven't personally signed their key. The important parts:
- ✅ "Good signature"
- ✅ Fingerprint matches official
- ✅ Signature date is reasonable (not from years ago)

### Step 5: Install

```bash
sudo dpkg -i cryptomator_1.18.0-0ppa1_amd64.deb
```

## 🚨 Red Flags (DO NOT INSTALL if you see these)

- ❌ Fingerprint mismatch
- ❌ "BAD signature"
- ❌ "No public key" (key import failed)
- ❌ Checksum mismatch
- ❌ Can't download .asc file (unsigned package)

## 📖 Official Resources

- Release Downloads: https://github.com/cryptomator/cryptomator/releases
- GPG Key Info: https://github.com/cryptomator/cryptomator/blob/develop/GPG-KEY.md
- Security Advisory: https://cryptomator.org/security/

## ✅ Verification Example (Real Output)

```
❯ sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb"
cryptomator_1.18.0-0ppa1_amd64.deb: OK

❯ gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235
pub   rsa4096 2020-08-18 [SC] [expires: 2031-01-01]
      5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235
uid           [ unknown] Cryptobot <releases@cryptomator.org>

❯ gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb
gpg: Signature made Wed 12 Nov 2025 09:29:25 AM MST
gpg:                using RSA key 58117AFA1F85B3EEC154677D615D449FE6E6A235
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235
```

✅ All checks passed - safe to install!

---

**Remember**: This verification process protects you from:
- Corrupted downloads
- Man-in-the-middle attacks
- Compromised mirrors
- Trojanized packages