How to verify the downloaded GPG Suite?

Verify SHA256 checksum

Verification possible without gpg installed:

  1. download GPG Suite
  2. open Terminal app (easiest to find via Spotlight)
  3. paste shasum -a 256
  4. press spacebar and drag downloaded GPG Suite file into Terminal
  5. press enter

The resulting SHA256 checksum must match the SHA256 checksum on https://gpgtools.org.

Verify signature

Verification possible with gpg installed on your system.

We sign each release with our team key. To verify the signature:

  1. download GPG Suite and
  2. and the "GPG Signature" from https://gpgtools.org
  3. when you have GPG Suite installed, skip this step, as our public key comes pre-installed in GPG Keychain otherwise import our public key
  4. make sure that dmg and sig file are located in the same folder
  5. double-click the signature file and GPG Services will show the verification result

Verification_untrusted_notifcation.png

Click notification to see details:
Verification_untrusted_dialog.png

There is nothing to worry about the fact you see "Untrusted signature". This KB-article explains how to verify and sign a key so that a key becomes trusted.

Verify signature of any file

Signing releases is common and it is routine to verify the signature for downloaded files when using software like Tor Browser or Tails.

  1. download file
  2. and corresponding gpg signature file
  3. import public key, matching the secret key used to generate the signature of the file you are looking to verify, into GPG Keychain
  4. to ensure the correct public key is used, please compare the fingerprint given on the developers website with the fingerprint of the imported key
  5. make sure that signature file and file you are looking to verify are located in the same folder
  6. double-click the signature file and GPG Services will show the verification result