Generally follow this
From the KeepassXC website here
By verifying the signatures of KeePassXC releases, you can prove the authenticity and integrity of the downloaded file. This guarantees that the file you just downloaded was originally created by the KeePassXC Team and that its contents haven’t been tampered with on the way.
A more detailed explanation is available in the Qubes-OS project documentation.
Every KeePassXC release is published in a variety of package formats:
Each of these package files has two related sidecar files, a *.sig containing a PGP signature and a *.DIGEST containing the SHA-256 hash for basic integrity checks.
The Windows MSI installation file is protected by an authenticode signature, this means that authenticity and integrity checks are verified directly by Windows when you run the program.
You should see the following dialog with DroidMonkey Apps, LLC as the verified publisher:
To verify the portal ZIP file, you must download and install Gpg4win. Then follow the verification instructions below.
The macOS release is signed with our Apple Developer ID, which is checked by the operating system on launch. You won’t be able to open KeePassXC after the installation if the signature check fails.
A more thorough check can be made using the *.sig sidecar file. This contains an OpenPGP (GPG) signature created with one of our release keys. Signing files with any other key will give a different signature. Following these verification instructions will ensure the downloaded files really came from us.
We will use the
gpg program to check the signatures. Before you can do that you need to tell
gpg about our public key, by importing it.
The KeePassXC public key can be retrieved in any of the ways shown below:
From a keyserver:
gpg --keyserver keys.openpgp.org --recv-keys CFB4C2166397D0D2
From our website:
gpg --fetch-keys https://keepassxc.org/keepassxc_master_signing_key.asc
These are the fingerprints of the master key and the current signing sub keys:
pub rsa4096 2017-01-03 [SC]
uid [ unknown] KeePassXC Release <[email protected]>
sub rsa2048 2017-01-03 [S] [expires: 2024-12-04]
sub rsa2048 2017-01-03 [S] [expires: 2024-12-04]
Notice that we have a master key and some sub keys. The actual signatures are created with one of the sub keys. As the naming implies, they are closely related to one another – importing the master PGP key is sufficient for verifying signatures made with any of its sub keys.
Once you have imported the key, you can decide whether you want to mark it as trusted. This is not strictly necessary for the checks we are making here. For more information, see the Qubes-OS project documentation.
You can then verify the authenticity and integrity of a downloaded package from its detached signature by running the following command:
$ gpg --verify KeePassXC-*.sig
2: Import VeraCrypt_PGP_public_key.asc into GPA
3: Set trust to Ultimate or (Right Click set owner trust)
4: In Powershell do this:
Compare RSA key given to fingerprint here:
Set the PATH variable as shown here
Use the command:
gpg --verify putty-64bit-0.78-installer.msi.gpg putty-64bit-0.78-installer.msi
Which gives the result:
E:\My-Valnondat\Foss\Foss SSH>gpg --verify putty-64bit-0.78-installer.msi.gpg putty-64bit-0.78-installer.msi
gpg: Signature made 29/10/2022 08:06:33 GMT Summer Time
gpg: using RSA key 2CF6134BD3F77A6588EBD668E4F83EA2AA4915EC
gpg: Can't check signature: No public key
In Kleopatra click Lookup on Server and search for the above mentioned RSA key. Then select and import the key:
Follow the method below from the GnuPG Gpg4win website
If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You’ll find the download-links on the Gpg4Win package integrity site. The ey, with which the files are signed, is also given on that page. You have to import the public key and now you can validate the signature of the file with the commandread more
Download the Gpg4win windows installer after which you get this message:
(Click Check Integrity to show the signature to compare against)
Use the signature quoted below to compare against what is shown by either going through the UAC conformation below or right click and propertes. From here.
Double click to execute the downloaded excutable:
Windows UAC comes up. Click Show more details:
Click “Show information about the publisher’s certificate”
Check against the signature on the download page
If when you right click a remote file in Filezilla and select “view/edit” to open it locally:
Then Edit > Settings >
in “Filetype associations” add the following text:
. C:\Windows\system32\NOTEPAD.EXE %f
jpg “C:\Program Files\Adobe\Adobe Photoshop 2022\Photoshop.exe” %f
php “C:\Windows\System32\notepad.exe” %f
Further example with different default programs:
Ways to write c:\Program Files so Windows understands (sometimes the space in the middle is a problem):