In order to check the integrity of a package, download the XPI file and the corresponding signature file. All official XPI files for Windows, Linux and Mac OS X are signed with the key below, available from any key server (alternatively, the public key is also available from here). Some contributed XPI files are signed by their contributors.

Keys used to sign the packages:

  • Key for Enigmail versions 1.8 and newer:
    Key ID: 0xDD5F693B
    Fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B
  • Key for Enigmail versions up to 1.7.2:
    Key ID: 0x9369CDF3
    Fingerprint: 10B2 E4A0 E718 BB1B 2791 DAC4 F040 E41B 9369 CDF3

     

Open a command shell and change to the directory where you have saved the files. Type:

gpg --verify filename.xpi.asc

(filename is the name of the signature file.) Check the output from GnuPG. If the signature is OK, then GnuPG should should print see something like:

gpg: Good signature from "Patrick Brunschwig <patrick@enigmail.net>"
                         "Patrick Brunschwig <patrick@brunschwig.net>"


The message for Enigmail up to version 1.7.2 will look like one of the following lines:

gpg: Good signature from "Patrick Brunschwig (Enigmail sig) <patrick@enigmail.net>"
gpg: Good signature from "Patrick Brunschwig (Enigmail sig) <enigmail@mozdev.org>"


Please note: contributed builds are not signed by Patrick, but (if at all) by the person who contributed the build. The signature will in this case display some other name.