In order to check the integrity of a package, download the XPI file and the corresponding signature file. All official XPI files for Windows, Linux and Mac OS X are signed with the key below, available from key servers like hkps://keyserver.dobrev.it
(alternatively, the public key is also available from here). Some contributed XPI files are signed by their contributors.
Keys used to sign the packages:
- Key for Enigmail versions 1.8 and newer:
Key ID: 0xDB1187B9DD5F693B
Fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B
- Key for Enigmail versions up to 1.7.2:
Key ID: 0xF040E41B9369CDF3
Fingerprint: 10B2 E4A0 E718 BB1B 2791 DAC4 F040 E41B 9369 CDF3
Open a command shell and change to the directory where you have saved the files. Type:
gpg --verify filename.xpi.asc
(filename is the name of the signature file.) Check the output from GnuPG. If the signature is OK, then GnuPG should should print see something like:
gpg: Good signature from "Patrick Brunschwig <This email address is being protected from spambots. You need JavaScript enabled to view it. >" "Patrick Brunschwig <This email address is being protected from spambots. You need JavaScript enabled to view it. >"
The message for Enigmail up to version 1.7.2 will look like one of the following lines:
gpg: Good signature from "Patrick Brunschwig (Enigmail sig) <This email address is being protected from spambots. You need JavaScript enabled to view it. >"
gpg: Good signature from "Patrick Brunschwig (Enigmail sig) <This email address is being protected from spambots. You need JavaScript enabled to view it. >"
Please note: contributed builds are not signed by Patrick, but (if at all) by the person who contributed the build. The signature will in this case display some other name.