All SQLCipher binary packages prepared by Zetetic are provided with a digital signature in order to verify the authenticity of a downloaded package. Below are the steps to setup your environment, obtain the Zetetic Software public key and verify any packages you have acquired with their corresponding signatures.
The steps below will describe the usage of GnuPG (i.e.
gpg), a free implementation of the OpenPGP standard. If you already have GnuPG installed on your host machine, please skip to the next step. Depending on your operating system there are a few options available for installing a GnuPG implementation. We recommend the following:
If you are running within a Linux environment, your distribution may already include a prebuilt version, if not, consult your package manager for specific installation instructions. To verify your installation on your machine, run the following command from your terminal — it should display the current version of the
There are few ways to acquire the signing key, we will cover downloading and verifying the fingerprint of our key directly from S3 first.
Before you import the key into your keyring, you should first verify the fingerprint of the key with the following command:
gpg --keyid-format 0xlong --with-fingerprint support_zetetic_net_public_key.gpg
pub rsa4096 2014-04-22 [C] [expires: 2021-04-20] D83F 5F9E B811 D6E6 B4A0 D9C5 D1FA 3A2A 97ED 25C2 uid [ unknown] Zetetic LLC <email@example.com> sub rsa3072 2014-04-22 [S] [expires: 2021-04-20] sub rsa3072 2014-04-22 [E] [expires: 2021-04-20] sub rsa3072 2014-04-22 [A] [expires: 2021-04-20]
Now we can import the Zetetic key into the keyring. From a terminal prompt execute the following within the directory that contains the key:
cat support_zetetic_net_public_key.gpg | gpg --keyid-format long --import
Alternatively, you can request the key from a key server through the following command, below we will use the sks keyservers pool:
gpg --keyserver hkps://keys.openpgp.org --recv-keys D1FA3A2A97ED25C2
Again, we need to verify the fingerprint of the key matches above:
gpg --fingerprint D1FA3A2A97ED25C2
With the Zetetic key properly installed in your keyring, you can now obtain the the corresponding signature(s) for the package(s) you have acquired.
Signatures for official SQLCipher packages are available directly from the Customer Download site. Once you download a package and the appropriate signature, execute the corresponding command to verify the signature matches the package.
gpg --verify <file>.sig <file>
For example, the following command will verify the signature of a file called
sqlcipher-windows-4.4.0.zip using the detached signature
gpg --verify sqlcipher-windows-4.4.0.zip.sig sqlcipher-windows-4.4.0.zip
This archive contains the source code for the latest release: