{"id":1157,"date":"2022-12-05T21:52:18","date_gmt":"2022-12-05T21:52:18","guid":{"rendered":"https:\/\/3d-imaging.co.uk\/blog\/?p=1157"},"modified":"2024-05-20T15:39:46","modified_gmt":"2024-05-20T15:39:46","slug":"keepass-xc-verifying-signatures","status":"publish","type":"post","link":"https:\/\/3d-imaging.co.uk\/blog\/keepass-xc-verifying-signatures\/","title":{"rendered":"Keepass XC Verifying Signatures"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text css=&#8221;&#8221;]<span style=\"color: #ffffff;\">From the KeepassXC website <\/span><a href=\"https:\/\/keepassxc.org\/verifying-signatures\">here<\/a><\/p>\n<div id=\"verify-signatures\" dir=\"ltr\"><span style=\"color: #ffffff;\">By verifying the signatures of KeePassXC releases, you can prove the <strong>authenticity<\/strong> and <strong>integrity<\/strong> of the downloaded file. This guarantees that the file you just downloaded was originally created by the KeePassXC Team and that its contents haven&#8217;t been tampered with on the way.<\/span><span style=\"color: #ffffff;\">A more detailed explanation is available in the <a style=\"color: #000000;\" href=\"https:\/\/www.qubes-os.org\/doc\/verifying-signatures\/\">Qubes-OS project documentation<\/a>.<\/span><\/p>\n<\/div>\n<h4 class=\"western\"><span style=\"color: #ffffff;\"><a style=\"color: #000000;\" name=\"how-to-verify-signatures\"><\/a>Download Options<\/span><\/h4>\n<p><span style=\"color: #ffffff;\">Every KeePassXC release is published in a variety of package formats:<\/span><\/p>\n<ul>\n<li><span style=\"color: #ffffff;\">a <em>*.dmg<\/em> drag-and-drop installer for macOS<\/span><\/li>\n<li><span style=\"color: #ffffff;\">an <em>*.msi<\/em> installer and a <em>*.zip<\/em> archive with binaries for Windows<\/span><\/li>\n<li><span style=\"color: #ffffff;\">a self-contained executable <em>*.AppImage<\/em> for GNU\/Linux.<\/span><\/li>\n<li><span style=\"color: #ffffff;\">a <em>*.tar.xz<\/em> source tarball<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #ffffff;\">Each of these package files has two related sidecar files, a <em>*.sig<\/em> containing a PGP signature and a <em>*.DIGEST<\/em> containing the SHA-256 hash for basic integrity checks.<\/span><\/p>\n<h4 class=\"western\"><span style=\"color: #ffffff;\">Verifying Releases \u2014 Windows<\/span><\/h4>\n<p><span style=\"color: #ffffff;\">The Windows MSI installation file is protected by an authenticode signature, this means that <strong>authenticity and integrity<\/strong> checks are verified directly by Windows when you run the program.<\/span><\/p>\n<p><span style=\"color: #ffffff;\">You should see the following dialog with <strong>DroidMonkey Apps, LLC<\/strong> as the verified publisher:<\/span><\/p>\n<p><span style=\"color: #ffffff;\"><img width=\"456\" height=\"336\" class=\"alignnone size-full wp-image-1001 \" src=\"https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a135693086.png\" alt=\"\" srcset=\"https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a135693086.png 456w, https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a135693086-300x221.png 300w\" sizes=\"(max-width: 456px) 100vw, 456px\" \/><\/span><\/p>\n<p><span style=\"color: #ffffff;\">To verify the portal ZIP file, you must download and install <a style=\"color: #000000;\" href=\"https:\/\/www.gpg4win.org\/\" target=\"_blank\" rel=\"noopener\">Gpg4win<\/a>. Then follow the verification instructions below.<\/span><\/p>\n<h4 class=\"western\"><span style=\"color: #ffffff;\">Verifying Releases \u2014 macOS<\/span><\/h4>\n<p><span style=\"color: #ffffff;\">The macOS release is signed with our Apple Developer ID, which is checked by the operating system on launch. You won&#8217;t be able to open KeePassXC after the installation if the signature check fails.<\/span><\/p>\n<h1 class=\"western\"><span style=\"color: #ffffff;\">Verifying Releases via PGP \u2014 Linux, macOS, and Windows<\/span><\/h1>\n<p><span style=\"color: #ffffff;\">A more thorough check can be made using the <em>*.sig<\/em> sidecar file. This contains an OpenPGP (GPG) <em>signature<\/em> created with one of our <em>release keys<\/em>. Signing files with any other key will give a different signature. Following these verification instructions will ensure the downloaded files really came from us.<\/span><\/p>\n<h5 class=\"western\"><span style=\"color: #ffffff;\">Step 1: Import the public key<\/span><\/h5>\n<p><span style=\"color: #ffffff;\">We will use the <code class=\"western\">gpg<\/code> program to check the signatures. Before you can do that you need to tell <code class=\"western\">gpg<\/code> about our public key, by <em>importing<\/em> it.<\/span><\/p>\n<p><span style=\"color: #ffffff;\">On Windows and macOS you will need to install the <code class=\"western\">gpg<\/code> program. On Windows, we recommend <a style=\"color: #000000;\" href=\"https:\/\/www.gpg4win.org\/\" target=\"_blank\" rel=\"noopener\">Gpg4win<\/a>. On macOS we recommend <a style=\"color: #000000;\" href=\"https:\/\/gpgtools.org\/\" target=\"_blank\" rel=\"noopener\">GPG Tools<\/a> or gnupg installed via HomeBrew.<\/span><\/p>\n<p><span style=\"color: #ffffff;\">The KeePassXC public key can be retrieved in any of the ways shown below:<\/span><\/p>\n<p><span style=\"color: #ffffff;\"><strong>From a keyserver:<\/strong><\/span><\/p>\n<pre class=\"western\"><span style=\"color: #ffffff;\"><code class=\"western\">gpg --keyserver keys.openpgp.org --recv-keys CFB4C2166397D0D2<\/code> <img width=\"820\" height=\"272\" class=\"alignnone size-full wp-image-1002 \" src=\"https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a1375d884d.png\" alt=\"\" srcset=\"https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a1375d884d.png 820w, https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a1375d884d-300x100.png 300w, https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a1375d884d-768x255.png 768w\" sizes=\"(max-width: 820px) 100vw, 820px\" \/><\/span><\/pre>\n<p><span style=\"color: #ffffff;\"><strong>From <a style=\"color: #000000;\" href=\"https:\/\/keepassxc.org\/keepassxc_master_signing_key.asc\">our website<\/a>:<\/strong><\/span><\/p>\n<pre class=\"western\"><span style=\"color: #ffffff;\"><code class=\"western\">gpg --fetch-keys https:\/\/keepassxc.org\/keepassxc_master_signing_key.asc<\/code><\/span><\/pre>\n<p><span style=\"color: #ffffff;\">These are the fingerprints of the master key and the current signing sub keys:<\/span><\/p>\n<pre class=\"western\"><span style=\"color: #ffffff;\"><code class=\"western\">pub rsa4096 2017-01-03 [SC]<\/code> <code class=\"western\">\r\n<\/code> <code class=\"western\">BF5A669F2272CF4324C1FDA8CFB4C2166397D0D2<\/code> <code class=\"western\">uid [ unknown] KeePassXC Release &lt;release@keepassxc.org&gt;<\/code> <code class=\"western\">sub rsa2048 2017-01-03 [S] [expires: 2024-12-04]<\/code> <code class=\"western\"> <\/code> <code class=\"western\">C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8<\/code> <code class=\"western\">sub rsa2048 2017-01-03 [S] [expires: 2024-12-04]<\/code> <code class=\"western\"><\/code> <code class=\"western\">71D4673D73C7F83C17DAE6A2D8538E98A26FD9C4<\/code><\/span><\/pre>\n<p><span style=\"color: #ffffff;\">Notice that we have a <em>master<\/em> key and some <em>sub<\/em> keys. The actual signatures are created with one of the <em>sub keys<\/em>. As the naming implies, they are closely related to one another &#8211; importing the master PGP key is sufficient for verifying signatures made with any of its sub keys.<\/span><\/p>\n<h5 class=\"western\"><span style=\"color: #ffffff;\">Step 2: Verify the PGP signature<\/span><\/h5>\n<p><span style=\"color: #ffffff;\">Once you have imported the key, you can decide whether you want to mark it as <em>trusted<\/em>. This is not strictly necessary for the checks we are making here. For more information, see the <a style=\"color: #000000;\" href=\"https:\/\/www.qubes-os.org\/doc\/verifying-signatures\/\">Qubes-OS project documentation<\/a>.<\/span><\/p>\n<p><span style=\"color: #ffffff;\">You can then verify the <strong>authenticity and integrity<\/strong> of a downloaded package from its detached signature by running the following command:<\/span><\/p>\n<pre class=\"western\"><span style=\"color: #ffffff;\"><code class=\"western\">$ gpg --verify KeePassXC-*.sig<\/code><\/span><\/pre>\n<p><span style=\"color: #ffffff;\">The output should look like this (the file name will differ obviously):<\/span><\/p>\n<pre class=\"western\"><span style=\"color: #ffffff;\"><code class=\"western\">gpg: assuming signed data in 'KeePassXC-X.X.X-Win64-Portable.zip'<\/code> <code class=\"western\">gpg: Signature made Thu 22 Oct 2020 01:57:33 CEST<\/code> <code class=\"western\">gpg: using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8<\/code> <code class=\"western\">gpg: Good signature from \"KeePassXC Release &lt;release@keepassxc.org&gt;\" [unknown]<\/code> <code class=\"western\">gpg: WARNING: This key is not certified with a trusted signature!<\/code> <code class=\"western\">gpg: There is no indication that the signature belongs to the owner.<\/code> <code class=\"western\">Primary key fingerprint: BF5A 669F 2272 CF43 24C1 FDA8 CFB4 C216 6397 D0D2<\/code> <code class=\"western\">Subkey fingerprint: C1E4 CBA3 AD78 D3AF D894 F9E0 B7A6 6F03 B590 76A8<\/code> <img width=\"795\" height=\"263\" class=\"alignnone size-full wp-image-1007 \" src=\"https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a152a17d71.png\" alt=\"\" srcset=\"https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a152a17d71.png 795w, https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a152a17d71-300x99.png 300w, https:\/\/3d-imaging.co.uk\/blog\/wp-content\/uploads\/2022\/12\/img_638a152a17d71-768x254.png 768w\" sizes=\"(max-width: 795px) 100vw, 795px\" \/><\/span><\/pre>\n<p><span style=\"color: #ffffff;\">You want to see that &#8220;Good signature&#8221; line. It shows that the <em>.sig<\/em> file must have been created from the downloaded file with a PGP key with the fingerprint <code class=\"western\">BF5A669F2272CF4324C1FDA8CFB4C2166397D0D2<\/code>.<\/span><\/p>\n<p><span style=\"color: #ffffff;\">The warning is there because in this example we have not taken the extra step of <em>trusting<\/em> that key. It can be ignored if (and only if) you see that the fingerprints are correct (see above).<\/span><\/p>\n<h4 class=\"western\"><span style=\"color: #ffffff;\">Verification fails or fingerprint does not match!<\/span><\/h4>\n<p><span style=\"color: #ffffff;\">Do NOT install the package. First, try downloading it again. If the checks are still failing, let us know about the problem by opening an <a style=\"color: #000000;\" href=\"https:\/\/github.com\/keepassxreboot\/keepassxc\/issues\">issue<\/a>.<\/span><\/p>\n<hr \/>\n<h4 class=\"western\"><span style=\"color: #ffffff;\">Basic integrity check<\/span><\/h4>\n<p><span style=\"color: #ffffff;\">If you know what you are doing, can skip the authenticity check and perform only a simple integrity check of the file using the <em>.DIGEST<\/em> sidecar file. This will ONLY tell you that the file has been downloaded correctly without errors. It will NOT tell you if you can TRUST the download! If you have already followed any of the verification steps above, you do not need this.<\/span><\/p>\n<h5 class=\"western\"><span style=\"color: #ffffff;\">Linux and macOS<\/span><\/h5>\n<p><span style=\"color: #ffffff;\">Open a terminal window and change directory to the folder you downloaded the files to, e.g. <code class=\"western\">cd<br \/>\n\/home\/username\/Downloads<\/code><\/span><\/p>\n<p><span style=\"color: #ffffff;\">The <em>*.DIGEST<\/em> file can be used to check your package downloaded correctly, with the following command:<\/span><\/p>\n<pre class=\"western\"><span style=\"color: #ffffff;\"><code class=\"western\">$ shasum -a 256 -c KeePassXC-*.DIGEST<\/code> <code class=\"western\">KeePassXC-XXX: OK<\/code><\/span><\/pre>\n<p><span style=\"color: #ffffff;\">The <code class=\"western\">shasum<\/code> program recalculates the SHA-256 hash digest of the package file and compares it with the value in the <em>.DIGEST<\/em> file. If they match (output is &#8220;OK&#8221;), the package was downloaded without errors.<\/span><\/p>\n<h5 class=\"western\"><span style=\"color: #ffffff;\">Windows<\/span><\/h5>\n<p><span style=\"color: #ffffff;\">Open a PowerShell window (hit <em>WIN+R<\/em>, type in <em>powershell<\/em>, press <em>Enter<\/em>) and change directory to the folder you downloaded the files to, e.g. <code class=\"western\">cd<br \/>\nC:\\Users\\username\\Downloads<\/code><\/span><\/p>\n<p><span style=\"color: #ffffff;\">Copy\/Paste the following command into the PowerShell window:<\/span><\/p>\n<pre class=\"western\"><span style=\"color: #ffffff;\"><code class=\"western\">(Get-FileHash .\\KeePassXC-*-Win64.msi).Hash -eq (Get-Content .\\KeePassXC-*-Win64.msi.DIGEST).split(\" \")[0].ToUpper()<\/code><\/span><\/pre>\n<p><span style=\"color: #ffffff;\">You should see <code class=\"western\">True<\/code> appear, if not then the download is invalid or your files are not together.<\/span>[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column][vc_column_text css=&#8221;&#8221;]From the KeepassXC website here By verifying the signatures of KeePassXC releases, you can prove the authenticity and integrity&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1274,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"__cvm_playback_settings":[],"__cvm_video_id":"","footnotes":""},"categories":[26],"tags":[],"yst_prominent_words":[],"class_list":{"0":"post-1157","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-verifying-foss-sofware"},"menu_order":0,"_links":{"self":[{"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1157"}],"version-history":[{"count":8,"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1157\/revisions"}],"predecessor-version":[{"id":1282,"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1157\/revisions\/1282"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/media\/1274"}],"wp:attachment":[{"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1157"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/3d-imaging.co.uk\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=1157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}