In order to check the integrity of a package, download the XPI file and the corresponding signature file. All official XPI files for Windows, Linux and Mac OS X are signed with the key below, available from key servers like hkps://keyserver.dobrev.it (alternatively, the public key is also available from here). Some contributed XPI files are signed by their contributors.

Keys used to sign the packages:

  • Key for Enigmail versions 1.8 and newer:
    Key ID: 0xDB1187B9DD5F693B
    Fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B
  • Key for Enigmail versions up to 1.7.2:
    Key ID: 0xF040E41B9369CDF3
    Fingerprint: 10B2 E4A0 E718 BB1B 2791 DAC4 F040 E41B 9369 CDF3

     

Open a command shell and change to the directory where you have saved the files. Type:

gpg --verify filename.xpi.asc

(filename is the name of the signature file.) Check the output from GnuPG. If the signature is OK, then GnuPG should should print see something like:

gpg: Good signature from "Patrick Brunschwig <This email address is being protected from spambots. You need JavaScript enabled to view it.>"
                         "Patrick Brunschwig <This email address is being protected from spambots. You need JavaScript enabled to view it.>"


The message for Enigmail up to version 1.7.2 will look like one of the following lines:

gpg: Good signature from "Patrick Brunschwig (Enigmail sig) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"
gpg: Good signature from "Patrick Brunschwig (Enigmail sig) <This email address is being protected from spambots. You need JavaScript enabled to view it.>"


Please note: contributed builds are not signed by Patrick, but (if at all) by the person who contributed the build. The signature will in this case display some other name.