djedi/privacy-toolkit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
privacy-toolkit/tools/cryptomator/VERIFICATION.md
rpriven 319efece5f
Initial commit
2025-12-31 19:44:07 -07:00

112 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Cryptomator Installation Verification Guide
## 🔐 Verify Before Installing
**ALWAYS verify cryptographic signatures and checksums before installing security software!**
### Step 1: Download Files
Download both the .deb package AND the .asc signature file from:
https://github.com/cryptomator/cryptomator/releases
Example for version 1.18.0:
```bash
wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb
wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb.asc
```
### Step 2: Import Cryptomator GPG Key
```bash
# Import the official Cryptomator release key
gpg --keyserver keyserver.ubuntu.com --recv-keys 615D449FE6E6A235
# Verify the fingerprint matches official:
gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235
```
**Expected fingerprint:**
```
5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235
```
**If the fingerprint doesn't match, DO NOT INSTALL!**
### Step 3: Verify SHA256 Checksum
Get the SHA256 from the GitHub release page, then verify:
```bash
sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb"
```
Expected output:
```
cryptomator_1.18.0-0ppa1_amd64.deb: OK
```
### Step 4: Verify GPG Signature
```bash
gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb
```
Expected output:
```
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
```
**The "unknown" trust is fine** - it just means you haven't personally signed their key. The important parts:
- ✅ "Good signature"
- ✅ Fingerprint matches official
- ✅ Signature date is reasonable (not from years ago)
### Step 5: Install
```bash
sudo dpkg -i cryptomator_1.18.0-0ppa1_amd64.deb
```
## 🚨 Red Flags (DO NOT INSTALL if you see these)
- ❌ Fingerprint mismatch
- ❌ "BAD signature"
- ❌ "No public key" (key import failed)
- ❌ Checksum mismatch
- ❌ Can't download .asc file (unsigned package)
## 📖 Official Resources
- Release Downloads: https://github.com/cryptomator/cryptomator/releases
- GPG Key Info: https://github.com/cryptomator/cryptomator/blob/develop/GPG-KEY.md
- Security Advisory: https://cryptomator.org/security/
## ✅ Verification Example (Real Output)
```
sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb"
cryptomator_1.18.0-0ppa1_amd64.deb: OK
gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235
pub rsa4096 2020-08-18 [SC] [expires: 2031-01-01]
5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235
uid [ unknown] Cryptobot <releases@cryptomator.org>
gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb
gpg: Signature made Wed 12 Nov 2025 09:29:25 AM MST
gpg: using RSA key 58117AFA1F85B3EEC154677D615D449FE6E6A235
gpg: Good signature from "Cryptobot <releases@cryptomator.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235
```
✅ All checks passed - safe to install!
---
**Remember**: This verification process protects you from:
- Corrupted downloads
- Man-in-the-middle attacks
- Compromised mirrors
- Trojanized packages
Reference in a new issue View git blame Copy permalink