Verifying the Signature of Enigmail Downloads

In order to check the integrity of a package, download the XPI file and the corresponding signature file. All official XPI files for Windows, Linux and Mac OS X are signed with the key below, available from any key server (alternatively, the public key is also available from here). Some contributed XPI files are signed by their contributors.

Keys used to sign the packages:

• Key for Enigmail versions 1.8 and newer:
  Key ID: 0xDD5F693B
  Fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B

• Key for Enigmail versions up to 1.7.2:
  Key ID: 0x9369CDF3
  Fingerprint: 10B2 E4A0 E718 BB1B 2791 DAC4 F040 E41B 9369 CDF3

   

Open a command shell and change to the directory where you have saved the files. Type:

gpg --verify filename.xpi.asc

(filename is the name of the signature file.) Check the output from GnuPG. If the signature is OK, then GnuPG should should print see something like:

gpg: Good signature from "Patrick Brunschwig <This email address is being protected from spambots. You need JavaScript enabled to view it.>"
                         "Patrick Brunschwig <This email address is being protected from spambots. You need JavaScript enabled to view it.>"

The message for Enigmail up to version 1.7.2 will look like one of the following lines:

gpg: Good signature from "Patrick Brunschwig (Enigmail sig) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"
gpg: Good signature from "Patrick Brunschwig (Enigmail sig) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"

Please note: contributed builds are not signed by Patrick, but (if at all) by the person who contributed the build. The signature will in this case display some other name.