Verify SQLCipher

All SQLCipher binary packages prepared by Zetetic are provided with a digital signature in order to verify the authenticity of a downloaded package. Below are the steps to setup your environment, obtain the Zetetic Software public key and verify any packages you have acquired with their corresponding signatures.

Prepare Environment

The steps below will describe the usage of GnuPG (i.e. gpg), a free implementation of the OpenPGP standard. If you already have GnuPG installed on your host machine, please skip to the next step. Depending on your operating system there are a few options available for installing a GnuPG implementation. We recommend the following:

If you are running within a Linux environment, your distribution may already include a prebuilt version, if not, consult your package manager for specific installation instructions. To verify your installation on your machine, run the following command from your terminal — it should display the current version of the gpg tool:

gpg --version

Acquire Zetetic Software Key

There are few ways to acquire the signing key, we will cover downloading and verifying the fingerprint of our key directly from S3 first.

Download Zetetic Signing Key

Before you import the key into your keyring, you should first verify the fingerprint of the key with the following command:

gpg --keyid-format 0xlong --with-fingerprint support_zetetic_net_public_key.gpg

This should print the following information, please verify the fingerprint matches:

pub   rsa4096 2014-04-22 [C] [expires: 2021-04-20]
      D83F 5F9E B811 D6E6 B4A0  D9C5 D1FA 3A2A 97ED 25C2
uid           [ unknown] Zetetic LLC <support@zetetic.net>
sub   rsa3072 2014-04-22 [S] [expires: 2021-04-20]
sub   rsa3072 2014-04-22 [E] [expires: 2021-04-20]
sub   rsa3072 2014-04-22 [A] [expires: 2021-04-20]
      

Now we can import the Zetetic key into the keyring. From a terminal prompt execute the following within the directory that contains the key:

cat support_zetetic_net_public_key.gpg | gpg --keyid-format long --import

Alternatively, you can request the key from a key server through the following command, below we will use the sks keyservers pool:

gpg --keyserver hkps://keys.openpgp.org --recv-keys D1FA3A2A97ED25C2

Again, we need to verify the fingerprint of the key matches above:

gpg --fingerprint D1FA3A2A97ED25C2

Verify Signature

With the Zetetic key properly installed in your keyring, you can now obtain the the corresponding signature(s) for the package(s) you have acquired.

Commercial and Enterprise Packages

Signatures for official SQLCipher packages are available directly from the Customer Download site. Once you download a package and the appropriate signature, execute the corresponding command to verify the signature matches the package.

gpg --verify <file>.sig <file>

For example, the following command will verify the signature of a file called sqlcipher-windows-4.4.2.zip using the detached signature sqlcipher-windows-4.4.2.zip.sig:

gpg --verify sqlcipher-windows-4.4.2.zip.sig sqlcipher-windows-4.4.2.zip

SQLCipher Core Source

This archive contains the source code for the latest release:

Package Signature Command
sqlcipher-4.4.2.zip sqlcipher-4.4.2.zip.sig gpg --verify sqlcipher-4.4.2.zip.sig sqlcipher-4.4.2.zip