How to verify download with pgp?

I have done this (the syncthing tar package is extracted in ~/bin):

Get the key:

 ~/bin $ gpg --recv-key BCE524C7
gpg: fordere Schlüssel BCE524C7 von hkp-Server an
gpg: /home/syncthing/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: Schlüssel BCE524C7: Öffentlicher Schlüssel "Jakob Borg (calmh) <>" importiert
gpg: keine uneingeschränkt vertrauenswürdigen Schlüssel gefunden
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1  (RSA: 1)

Manually compare the follow output with :

~/bin $ gpg --fingerprint BCE524C7
pub   4096R/BCE524C7 2014-03-20
  Schl.-Fingerabdruck = 9DCC 29A8 312F 5C0F 2625  E76E 49F5 AEC0 BCE5 24C7
uid                  Jakob Borg (calmh) <>
sub   4096R/276E301D 2014-03-20

verify the binary:

~/bin $ gpg --verify syncthing.asc
gpg: Unterschrift vom Fr 16 Mai 2014 16:30:25 CEST mittels RSA-Schlüssel ID BCE524C7
gpg: Korrekte Unterschrift von "Jakob Borg (calmh) <>"
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 9DCC 29A8 312F 5C0F 2625  E76E 49F5 AEC0 BCE5 24C7

Does the last step really verify the binary? Or just the signature in the archive?

It checks the binary. You can verify this by appending some data to the binary and watching the gpg verification fail.

1 Like

As of recently, this is no longer the process. There is now a signed text file with checksums, md5 and sha1. The current process (and this should be in a howto somewhere but I’m too tired to write it up correctly right now) is to get the sha1 or md5 hash of the release package with an appropriate tool (sha1sum and md5 exist on most unixes at least), verify that this matches the hash in the text file, and then verify the signature on the text file as above.

I have a question about this topic from the perspective of a non-technical person, and a new user of Syncthing:

In addition to the versions I downloaded from the Official Syncthing site, I also downloaded the Android and Synology versions from other locations. They work, they sync, they connect to the discovery server. Everything looks good. (I have never even heard of checksum verification.)

Question: How can I be sure that what I have installed is really Syncthing, and not a hacked version that performs some additional malicious things with my data?

I know I can look at firewall logs and Wireshark logs - but is there something built into Syncthing itself that would programatically kill a hacked version before it discovered the other nodes?

EDIT: OK, I read the doc “How Node ID’s Work”. Although it’s not very newbie friendly. So I am still seeking a layman’s answer to the question asked.

You can’t, really. You can verify that the stuff you download from github is something I built, by these gpg signatures, and you can trust that what I build comes from the source code I publish, because I promise that it is. But I could be an NSA plant, so to be sure you need to audit the source and build it yourself, with a trusted compiler on a trusted computer etc. For binaries from other people you are simply trusting those people in the same manner.

The node id stuff is trustworthy, assuming you trust that syncthing actually does the verification I claim it does…

About detecting “fakes”, the protocol is designed to allow all kinds of different implementations and not just the “reference” one. So no, not possible.

Thank you for the answer. It’s honest, and clear - and appreciated!

I don’t think anyone expects you to simultaneously advance the core Syncthing code, and also be a verification service for every spin-off version that exists now, or will exist in the future.

Nothing said here frightens me away. Although I am half-hoping that someone comes along and suggests a practical way to block “fakes” or malicious activity.

Thank you.

My pleasure. Nothing of the above is in any way worse with syncthing than with any other solution. On the contrary, with syncthing there’s at least a chance that it does what the source code says it does, which is more than you get with many of the competing alternatives. :wink: