Verifying Downloads: Peerio

Verifying Downloads

Windows

Windows dialog for verifying the application's signature

macOS

Linux

The Peerio updater manifest contains a signed list of SHA-512 hashes for the binaries we distribute. You can verify the manifest signature and hashes to cryptographically ensure that the files you downloaded are published by us.

Install OpenBSD’s signify utility to verify the signature from the command line:

apt-get install signify-openbsd on Ubuntu or Debian

The manifest will be signed for one of the following public keys: peerio_signify1.pub or peerio_signify2.pub

Download manifest.txt for the binary from the corresponding Github release.

The following shell command will first verify this manifest signature with signify, and then, if it’s correct, verify the SHA-512 hash of the file. If verification with one public key fails, try a different one by changing the pubkey variable.

( pubkey=signify1.pub; \ manifest=manifest.txt; \ os=linux-x64; \ cmd=$(which signify-openbsd || which signify || echo signify not found); \ $cmd -Vep $pubkey -x $manifest -m - > /dev/null && \ file=$(awk -F: -F/ "/$os-file/{print \$NF}" $manifest) && \ hash=$(awk "/$os-sha512/{print \$2}" $manifest) && \ [ "$hash" = "$(openssl dgst -sha512 $file | awk '{print $2}')" ] && \ echo OK || echo Failed )