Verify SQLCipher

All SQLCipher binary packages prepared by Zetetic are provided with a digital signature in order to verify the authenticity of a downloaded package. Below are the steps to setup your environment, obtain the Zetetic Software public key and verify any packages you have acquired with their corresponding signatures.

Prepare Environment

The steps below will describe the usage of GnuPG (i.e. gpg), a free implementation of the OpenPGP standard. If you already have GnuPG installed on your host machine, please skip to the next step. Depending on your operating system there are a few options available for installing a GnuPG implementation. We recommend the following:

If you are running within a Linux environment, your distribution may already include a prebuilt version, if not, consult your package manager for specific installation instructions. To verify your installation on your machine, run the following command from your terminal — it should display the current version of the gpg tool:

gpg --version

Acquire Zetetic Software Key

There are few ways to acquire the signing key, we will cover downloading and verifying the fingerprint of our key directly from S3 first.


Zetetic signing key

Before you import the key into your keyring, you should first verify the fingerprint of the key with the following command:

gpg --keyid-format 0xlong --with-fingerprint support_zetetic_net_public_key.gpg

This should print the following information, please verify the fingerprint matches:


    pub  4096R/97ED25C2 2014-04-22 [expires: 2018-04-20]
          Key fingerprint = D83F 5F9E B811 D6E6 B4A0  D9C5 D1FA 3A2A 97ED 25C2
    uid                            Zetetic LLC <support@zetetic.net>
    sub  3072R/67FD0322 2014-04-22 [expires: 2018-04-20]
    sub  3072R/D4DFEDA7 2014-04-22 [expires: 2018-04-20]
    sub  3072R/B1C49DF6 2014-04-22 [expires: 2018-04-20]
      

Now we can import the Zetetic key into the keyring. From a terminal prompt execute the following within the directory that contains the key:

cat support_zetetic_net_public_key.gpg | gpg --keyid-format long --import

Alternatively, you can request the key from a key server through the following command, below we will use the sks keyservers pool:

gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys D1FA3A2A97ED25C2

Again, we need to verify the fingerprint of the key matches above:

gpg --fingerprint D1FA3A2A97ED25C2

Verify Signature

With the Zetetic key properly installed in your keyring, you can now obtain the the corresponding signature(s) for the package(s) you have acquired. Once you download the appropriate signature(s), execute their corresponding command to verify the signature matches your package.

Commercial Editions

Signature Command
sqlcipher-ado-net.zip.sig gpg --verify sqlcipher-ado-net.zip.sig sqlcipher-ado-net.zip
sqlcipher-for-android-v3.5.7.zip.sig gpg --verify sqlcipher-for-android-v3.5.7.zip.sig sqlcipher-for-android-v3.5.7.zip
sqlcipher-for-windows-phone.zip.sig gpg --verify sqlcipher-for-windows-phone.zip.sig sqlcipher-for-windows-phone.zip
sqlcipher-for-windows-runtime.zip.sig gpg --verify sqlcipher-for-windows-runtime.zip.sig sqlcipher-for-windows-runtime.zip
sqlcipher-static-ios.zip.sig gpg --verify sqlcipher-static-ios.zip.sig sqlcipher-static-ios.zip
sqlcipher-static-osx.zip.sig gpg --verify sqlcipher-static-osx.zip.sig sqlcipher-static-osx.zip
sqlcipher-static-wk.zip.sig gpg --verify sqlcipher-static-wk.zip.sig sqlcipher-static-wk.zip
sqlcipher-win32.zip.sig gpg --verify sqlcipher-win32.zip.sig sqlcipher-win32.zip
sqlcipher-for-windows-uap.zip.sig gpg --verify sqlcipher-for-windows-uap.zip.sig sqlcipher-for-windows-uap.zip
sqlcipher-for-xamarin-ios-4.1.3.0.xam.sig gpg --verify sqlcipher-for-xamarin-ios-4.1.3.0.xam.sig sqlcipher-for-xamarin-ios-4.1.3.0.xam
sqlcipher-for-xamarin-android-4.1.3.0.xam.sig gpg --verify sqlcipher-for-xamarin-android-4.1.3.0.xam.sig sqlcipher-for-xamarin-android-4.1.3.0.xam


Community Editions

Signature Command
sqlcipher-3.4.1.zip.sig gpg --verify sqlcipher-3.4.1.zip.sig sqlcipher-3.4.1.zip