How to verify the downloaded GPG Suite?

Verify SHA256 checksum

Verification possible without gpg installed:

  1. download GPG Suite
  2. open Terminal app (easiest to find via Spotlight, an icon located in the top right of your menubar)
  3. paste shasum -a 256 then press spacebar to add a space
  4. drag downloaded GPG Suite dmg file into Terminal
  5. press enter

The resulting SHA256 checksum must match the SHA256 checksum on https://gpgtools.org.

Verify signature

Verification possible with gpg installed on your system.

We sign each release with our team key. To verify the signature:

  1. download GPG Suite
  2. download GPG Signature from https://gpgtools.org
  3. if GPG Suite is already installed on your system skip this step, as our public key comes pre-installed with GPG Keychain. Otherwise import our public key
  4. both dmg and sig file must be located in the same folder
  5. double-click the signature file and GPG Services will show the verification result

Verification_untrusted_notifcation.png

Click notification for details:
Verification_untrusted_dialog.png

Untrusted signature is expected and nothing to worry about. This KB-article explains how to verify and sign a key so that key becomes trusted.

Verify signature of any file

Signing releases is common and it is routine to verify the signature for downloaded files when using software like Tor Browser or Tails.

  1. download file
  2. and corresponding gpg signature file
  3. import public key, matching the secret key used to generate the signature of the file you are looking to verify, into GPG Keychain
  4. to ensure the correct public key is used, please compare the fingerprint given on the developers website with the fingerprint of the imported key
  5. make sure that signature file and file you are looking to verify are located in the same folder
  6. double-click the signature file and GPG Services will show the verification result