privacy-toolkit/tools/cryptomator/VERIFICATION.md

Cryptomator Installation Verification Guide

🔐 Verify Before Installing

ALWAYS verify cryptographic signatures and checksums before installing security software!

Step 1: Download Files

Download both the .deb package AND the .asc signature file from: https://github.com/cryptomator/cryptomator/releases

Example for version 1.18.0:

wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb
wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb.asc

Step 2: Import Cryptomator GPG Key

# Import the official Cryptomator release key
gpg --keyserver keyserver.ubuntu.com --recv-keys 615D449FE6E6A235

# Verify the fingerprint matches official:
gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235

Expected fingerprint:

5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235

If the fingerprint doesn't match, DO NOT INSTALL!

Step 3: Verify SHA256 Checksum

Get the SHA256 from the GitHub release page, then verify:

sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb"

Expected output:

cryptomator_1.18.0-0ppa1_amd64.deb: OK

Step 4: Verify GPG Signature

gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb

Expected output:

gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]

The "unknown" trust is fine - it just means you haven't personally signed their key. The important parts:

• ✅ "Good signature"
• ✅ Fingerprint matches official
• ✅ Signature date is reasonable (not from years ago)

Step 5: Install

sudo dpkg -i cryptomator_1.18.0-0ppa1_amd64.deb

🚨 Red Flags (DO NOT INSTALL if you see these)

• ❌ Fingerprint mismatch
• ❌ "BAD signature"
• ❌ "No public key" (key import failed)
• ❌ Checksum mismatch
• ❌ Can't download .asc file (unsigned package)

📖 Official Resources

• Release Downloads: https://github.com/cryptomator/cryptomator/releases
• GPG Key Info: https://github.com/cryptomator/cryptomator/blob/develop/GPG-KEY.md
• Security Advisory: https://cryptomator.org/security/

✅ Verification Example (Real Output)

❯ sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb"
cryptomator_1.18.0-0ppa1_amd64.deb: OK

❯ gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235
pub   rsa4096 2020-08-18 [SC] [expires: 2031-01-01]
      5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235
uid           [ unknown] Cryptobot <releases@cryptomator.org>

❯ gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb
gpg: Signature made Wed 12 Nov 2025 09:29:25 AM MST
gpg:                using RSA key 58117AFA1F85B3EEC154677D615D449FE6E6A235
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235

✅ All checks passed - safe to install!

---

Remember: This verification process protects you from:

• Corrupted downloads
• Man-in-the-middle attacks
• Compromised mirrors
• Trojanized packages