public/signature-verification/index.pt.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105

<!DOCTYPE html>
<html lang='pt'>
<head>
<title>
Signature Verification - Bitmask Downloads
</title>
<meta content='width=device-width, initial-scale=1.0' name='viewport'>
<meta charset='utf-8'>
<link href='/assets/bootstrap.min.css' rel='stylesheet'>
<link href='/assets/font-awesome/css/font-awesome.min.css' rel='stylesheet'>
<link href='/assets/style.css' rel='stylesheet'>
<script src='/assets/js/jquery.min.js'></script>
</head>
<body>
<a class='bm-masthead' href='/'></a>
<div class='bm-bar'>
Bitmask Downloads
</div>
<div class='bm-main container'>
<div id="TOC"><ol>
  <li>
    <a href="#import-leaps-key">Import LEAP’s key</a>
    <ol>
      <li>
        <a href="#option-1-wget">Option 1 – wget</a>
      </li>
      <li>
        <a href="#option-2-search-keyservers">Option 2 – search keyservers</a>
      </li>
    </ol>
  </li>
  <li>
    <a href="#download-signature-file">Download signature file</a>
  </li>
  <li>
    <a href="#verify-signature">Verify signature</a>
  </li>
</ol></div>

<p>Many of the files available for download from this site have been signed. This page will walk you through what you need to do in order to verify these signatures. This process is entirely optional.</p>
<p><code>NOTE:</code> Installation of Android and Mac apps will have their signatures verified automatically. However, we provide signatures for these files if you wish to verify them manually with the process below.</p>
<h2><a name="import-leaps-key"></a>Import LEAP’s key</h2>
<p>All the files have been signed with the &#8220;<span class="caps">LEAP</span> archive signing key&#8221;. The first step is to import this key into your local keyring. These instructions will use <code>gpg</code>, a free implementation of OpenPGP that works on Mac, Windows, and Linux.</p>
<h3><a name="option-1-wget"></a>Option 1 – wget</h3>
<p>The easiest way to get the <span class="caps">LEAP</span> archive signing key is to just download it from the bitmask.net website and import into your keyring:</p>
<pre><code>wget -O- <a href="https://dl.bitmask.net/apt.key">dl.bitmask.net/apt.key</a> | gpg --import</code></pre>
<p>You should see output that looks like this:</p>
<pre><code>gpg: key 0x1E34A1828E207901: public key "LEAP archive signing key &lt;<a href="mailto:sysdev&#064leap&#046;se">sysdev&#064leap&#046;se</a>&gt;" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   4  signed:   7  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1  valid:   7  signed:  22  trust: 6-, 1q, 0n, 0m, 0f, 0u</code></pre>
<h3><a name="option-2-search-keyservers"></a>Option 2 – search keyservers</h3>
<p>Alternately, you can import the <span class="caps">LEAP</span> archive signing key by fetching from a keyserver:</p>
<pre><code>gpg --recv-key 1E453B2CE87BEE2F7DFE99661E34A1828E207901</code></pre>
<p>If you want to make the keyserver connection use <span class="caps">TLS</span>, you can use the sks-keyserver pool. To use this keyserver pool, you will need to <a href="https://sks-keyservers.net/sks-keyservers.netCA.pem">download the sks-keyservers.net CA</a> and save it somewhere on your machine. Additionally, you can <a href="https://sks-keyservers.net/verify_tls.php">verify the certificate’s finger print</a>.</p>
<p>Once you have downloaded the <span class="caps">SKS</span> keyserver pool CA, the <code>recv-key</code> command looks like this:</p>
<pre><code>gpg --keyserver hkps://pool.sks-keyservers.net --keyserver-options 'ca-cert-file=sks-keyservers.netCA.pem' --recv-key 1E453B2CE87BEE2F7DFE99661E34A1828E207901</code></pre>
<p>Assuming you saved the CA certificate to the file <code>sks-keyservers.netCA.pem</code>. For more information, see this <a href="https://help.riseup.net/en/gpg-best-practices">OpenPGP best practices page</a>.</p>
<p>There is absolutely no guarentee that the key just imported with <code>recv-key</code> is the one you just requested. To confirm, you need to manually check the fingerprint:</p>
<pre><code>gpg --fingerprint 1E453B2CE87BEE2F7DFE99661E34A1828E207901</code></pre>
<p>Which should produce output like so:</p>
<pre><code>pub   4096R/0x1E34A1828E207901 2013-02-06 [expires: 2015-02-07]
      Key fingerprint = 1E45 3B2C E87B EE2F 7DFE  9966 1E34 A182 8E20 7901
uid                 [  undef ] LEAP archive signing key &lt;<a href="mailto:sysdev&#064leap&#046;se">sysdev&#064leap&#046;se</a>&gt;</code></pre>
<h2><a name="download-signature-file"></a>Download signature file</h2>
<p>The signature file for each download has the same name as the file but with <code>.asc</code> appended.</p>
<p>For a listing of the available signature files, see:</p>
<ul>
	<li><a href="https://dl.bitmask.net/client/android/">All Android files</a></li>
	<li><a href="https://dl.bitmask.net/client/linux/">All Linux files</a></li>
	<li><a href="https://dl.bitmask.net/client/osx/">All Mac files</a></li>
	<li><a href="https://dl.bitmask.net/client/windows/">All Windows files</a></li>
</ul>
<p>Make sure you put the signature file and the download you want to authenticate in the same directory, and that they have the same name (other than the .asc suffix for the signature file).</p>
<h2><a name="verify-signature"></a>Verify signature</h2>
<p>Now, just run this command:</p>
<pre><code>gpg --verify FILE.asc</code></pre>
<p>Where <span class="caps">FILE</span> is the name of the download you want to authenticate.</p>
<p>You should see some output like so:</p>
<pre><code>gpg: Signature made Mon 15 Sep 2014 07:49:07 AM PDT
gpg:                using RSA key 0x1E34A1828E207901
gpg: Good signature from "LEAP archive signing key &lt;<a href="mailto:sysdev&#064leap&#046;se">sysdev&#064leap&#046;se</a>&gt;" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1E45 3B2C E87B EE2F 7DFE  9966 1E34 A182 8E20 7901</code></pre>
<p>If you have trusted one of the keys that has signed the <span class="caps">LEAP</span> key, then you will not see the warning.</p>
<p>If you do not see the text <code>Good signature from "LEAP archive signing key &lt;<a href="mailto:sysdev&#064leap&#046;se">sysdev&#064leap&#046;se</a>&gt;"</code> then something is wrong and you should not run the application you downloaded.</p>
</div>
<footer>
<div>
(c) 2014-2018 LEAP Encryption Access Project
</div>
<div>
Everything available for download on this site is free and open source software.
<br>
Source code available from
<a href="https://leap.se/git/">https://leap.se/git</a>
or
<a href="https://github.com/leapcode">https://github.com/leapcode</a>.
</div>
</footer>
</body>
</html>