Sunday, October 3, 2021

How to Validate the Integrity of the Downloaded KeePassXC File on Mac

Download from https://keepassxc.org/download/ the birnary, signature and hash files.
KeePassXC-2.6.6-x86_64.dmg
KeePassXC-2.6.6-x86_64.dmg.sig
Value from KeePassXC-2.6.6-x86_64.dmg.DIGEST
ab96033c16459de5a95e1f9e5864a5bd8cc47b4f3dee2c68ede6199dd44286ec  KeePassXC-2.6.6-x86_64.dmg

At the terminal:
$ openssl dgst -sha256 KeePassXC-2.6.6-x86_64.dmg
SHA256(KeePassXC-2.6.6-x86_64.dmg)= ab96033c16459de5a95e1f9e5864a5bd8cc47b4f3dee2c68ede6199dd44286ec

Use the search function in any text editor to seach and compare the hash value before install.

$ gpg --verify KeePassXC-2.6.6-x86_64.dmg.sig
gpg: assuming signed data in 'KeePassXC-2.6.6-x86_64.dmg'
gpg: Signature made Sat Jun 12 10:52:46 2021 PDT
gpg:                using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8
gpg: Can't check signature: No public key

$ gpg --keyserver pgp.mit.edu --recv C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8
gpg: key CFB4C2166397D0D2: 1 duplicate signature removed
gpg: key CFB4C2166397D0D2: public key "KeePassXC Release <release@keepassxc.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --verify KeePassXC-2.6.6-x86_64.dmg.sig KeePassXC-2.6.6-x86_64.dmg
gpg: Signature made Sat Jun 12 10:52:46 2021 PDT
gpg:                using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8
gpg: Good signature from "KeePassXC Release <release@keepassxc.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF5A 669F 2272 CF43 24C1  FDA8 CFB4 C216 6397 D0D2
     Subkey fingerprint: C1E4 CBA3 AD78 D3AF D894  F9E0 B7A6 6F03 B590 76A8
    

No comments:

Post a Comment