All SQLCipher binary packages prepared by Zetetic are provided with a digital signature in order to verify the authenticity of a downloaded package. Below are the steps to setup your environment, obtain the Zetetic Software public key and verify any packages you have acquired with their corresponding signatures.
The steps below will describe the usage of GnuPG (i.e.
gpg), a free implementation of the OpenPGP standard. If you already have GnuPG installed on your host machine, please skip to the next step. Depending on your operating system there are a few options available for installing a GnuPG implementation. We recommend the following:
If you are running within a Linux environment, your distribution may already include a prebuilt version, if not, consult your package manager for specific installation instructions. To verify your installation on your machine, run the following command from your terminal — it should display the current version of the
There are few ways to acquire the signing key, we will cover downloading and verifying the fingerprint of our key directly from S3 first.
Before you import the key into your keyring, you should first verify the fingerprint of the key with the following command:
gpg --keyid-format 0xlong --with-fingerprint support_zetetic_net_public_key.gpg
pub 4096R/97ED25C2 2014-04-22 [expires: 2018-04-20] Key fingerprint = D83F 5F9E B811 D6E6 B4A0 D9C5 D1FA 3A2A 97ED 25C2 uid Zetetic LLC <firstname.lastname@example.org> sub 3072R/67FD0322 2014-04-22 [expires: 2018-04-20] sub 3072R/D4DFEDA7 2014-04-22 [expires: 2018-04-20] sub 3072R/B1C49DF6 2014-04-22 [expires: 2018-04-20]
Now we can import the Zetetic key into the keyring. From a terminal prompt execute the following within the directory that contains the key:
cat support_zetetic_net_public_key.gpg | gpg --keyid-format long --import
Alternatively, you can request the key from a key server through the following command, below we will use the sks keyservers pool:
gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys D1FA3A2A97ED25C2
Again, we need to verify the fingerprint of the key matches above:
gpg --fingerprint D1FA3A2A97ED25C2
With the Zetetic key properly installed in your keyring, you can now obtain the the corresponding signature(s) for the package(s) you have acquired. Once you download the appropriate signature(s), execute their corresponding command to verify the signature matches your package.