Verifying Signatures

By verifying the signatures of KeePassXC releases, you can prove the authenticity and integrity of the downloaded file. This guarantees that the file you just downloaded was originally created by the KeePassXC Team and that its contents haven't been tampered with on the way.

A more detailed explanation is available in the Qubes-OS project documentation.

Download Options

Every KeePassXC release is published in a variety of package formats:

  • a *.dmg drag-and-drop installer for macOS
  • an *.exe installer and a *.zip archive with binaries for Windows
  • a self-contained executable *.AppImage for GNU/Linux.
  • a *.tar.xz source tarball

You will need to download one of these to install on your machine.

Each of these package files has two related sidecar files, a *.DIGEST and a *.sig. We explain how to use these below.

Basic integrity check

The *.DIGEST file can be used to check your package downloaded correctly, with the following command:

$ shasum -a 256 -c KeePassXC-$VERSION-x86_64.AppImage.DIGEST
KeePassXC-$VERSION-x86_64.AppImage: OK

The shasum program recalculates the SHA-256 hash digest of the package file and compares it with the value in the .DIGEST file. If they match, this shows the package was downloaded without errors.

Checking integrity and authenticity

A more thorough check can be made using the *.sig sidecar file. This contains a GPG signature created with one of our release keys. Signing the installable file with any other key will give a different signature, so you can use the signature and our public key to check the package file really came from us.

Importing the Public Master Key

We will use the gpg program to check the signatures. Before you can do that you need to tell gpg about our public key, by importing it.

The KeePassXC public key can be retrieved in any of the ways shown below:

From a specific keyserver
gpg --keyserver pool.sks-keyservers.net --recv-keys 0xBF5A669F2272CF4324C1FDA8CFB4C2166397D0D2
Manual download from our website and import with gpg
gpg --import ./keepassxc_master_signing_key.asc
Fetch via gpg
gpg --fetch-keys https://keepassxc.org/keepassxc_master_signing_key.asc
Manual download from the KeePassXC website repository and import with gpg
gpg --import ./keepassxc_master_signing_key.asc

These are the fingerprints of the master key and the current signing sub keys:

pub   rsa4096/CFB4C2166397D0D2 2017-01-03 [SC]
      Key fingerprint = BF5A 669F 2272 CF43 24C1  FDA8 CFB4 C216 6397 D0D2
uid                 [  unknown  ] KeePassXC Release <release 'AT` keepassxc ^DOT' org>
sub   rsa2048/AFF235EEFB5A2517 2017-01-03 [S] [expires: 2019-01-03]
sub   rsa2048/D8538E98A26FD9C4 2017-01-03 [S] [expires: 2019-01-03]
sub   rsa2048/B7A66F03B59076A8 2017-01-03 [S] [expires: 2019-01-03]

Notice that we have a master key and some sub keys. The actual signatures are created with one of the sub keys. As the naming implies, they are closely related to one another - importing the master GPG key is sufficient for verifying signatures made with any of its sub keys.

Once you have imported the key, you can decide whether you want to mark it as trusted. This is not strictly necessary for the checks we are making here. For more information, see the Qubes-OS project documentation.

Verifying Releases

You can verify the authenticity and integrity of a downloaded package from its detached signature by running the following command:

$ gpg --verify KeePassXC-$VERSION-x86_64.AppImage.sig
gpg: assuming signed data in 'KeePassXC-$VERSION-x86_64.AppImage'
gpg: Signature made Fri 17 Feb 2017 05:20:55 PM CET
gpg:                using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8
gpg: Good signature from "KeePassXC Release <release 'AT` keepassxc ^DOT' org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF5A 669F 2272 CF43 24C1  FDA8 CFB4 C216 6397 D0D2
     Subkey fingerprint: C1E4 CBA3 AD78 D3AF D894  F9E0 B7A6 6F03 B590 76A8

You want to see that "Good signature" line. It shows the .sig file must have been created from the AppImage file by the sub key with the fingerprint C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8.

The warning is there because in this example we have not taken the extra step of trusting that key.

Verification fails!

Don't install the package. First, try downloading again and rechecking. If it is still not working, please let us know about the problem by opening an issue.