Verificar Descargas

Android

Para Android, puede verificar que el certificado de firma en la APK coincida con una de las siguientes firmas digitales SHA256:

• Para descargas de F-Droid: 9D:B6:67:8E:D7:4C:88:12:4B:82:5E:8F:90:50:2B:76 CD:97:C5:EC:CC:9A:A9:2F:40:33:02:71:02:D9:AA:9D

• Otras descargas de APK: 35:5B:E2:C3:8E:C6:73:83:C1:02:FB:E0:3E:84:C4:BC 3E:6F:89:06:F8:D3:66:91:4F:84:52:82:08:13:2A:EE

Para imprimir las firmas SHA256 del certificado de firma de APK, puede usar, por ejemplo: keytool -printcert -jarfile <APK-file>

Escritorio

1. Open your terminal and change directory to the file you want to verify, eg.
   deltachat-desktop_<VERSION>_amd64.deb

2. Download signed checksums and import key; <VERSION> needs to be replaced by the version number, eg. 2.33.0

   wget https://download.delta.chat/desktop/v<VERSION>/signed-checksums.txt
   wget https://delta.chat/assets/deltachat_certificate.asc.txt
   gpg --import deltachat_certificate.asc.txt
   

   The key is also available at keys.openpgp.org

3. Verify and check results

   gpg --decrypt signed-checksums.txt | shasum -a 512 --ignore-missing -c -
   

   Expected output:

   gpg: Good signature from "deltachat-signing@merlinux.eu" [unknown]
   gpg: WARNING: This key is not certified with a trusted signature!
   gpg:          There is no indication that the signature belongs to the owner.
   Primary key fingerprint: 63CD 1F81 5BA5 6051 8376 999C 626E 26C8 1695 1308
   <FILE>: OK
   

   Make sure the fingerprint matches and that the file you want to verify is listed. The warning is normal as you have not explicitly trusted the key.

If gpg is broken on your system, you can use
cat signed-checksums.txt | rsop inline-verify deltachat_certificate.asc.txt or
cat signed-checksums.txt | grep deltachat | shasum -a 512 --ignore-missing -c - - note, that the latter checks integrity but not the developer’s key.