Verifying Releases

For each release artifact, EnvKey publishes a code signature. The code signature can be verified with minisign using our public key:

RWQ5lgVbbidOxaoIEsqZjbI6hHdS5Ri/SrDk9rNFFgiQZ4COuk6Li2HK

How to verify

  • Install minisign.

  • Run the following (set or substitute ARTIFACT_URL for the artifact you want to verify):

ARTIFACT_URL=<insert-artifact-url> \
&& curl -O $ARTIFACT_URL -O $ARTIFACT_URL.minisig \
&& { minisign -Vm $(basename $ARTIFACT_URL) -P "RWQ5lgVbbidOxaoIEsqZjbI6hHdS5Ri/SrDk9rNFFgiQZ4COuk6Li2HK" || { rm $(basename $ARTIFACT_URL) && $(basename $ARTIFACT_URL).minisig &&  echo "Error: $(basename $ARTIFACT_URL) signature invalid. Exiting with error." >&2; exit 1; }; } \
&& echo $(basename $ARTIFACT_URL) verified \
&& chmod +x $(basename $ARTIFACT_URL) \
&& ./$(basename $ARTIFACT_URL) \
&& rm $(basename $ARTIFACT_URL) $(basename $ARTIFACT_URL).minisig

It will print Signature and comment signature verified if successful.

Verify and install EnvKey UI for Linux

To verify the latest release of the EnvKey UI for Linux, then execute:

LATEST_VERSION=$(curl https://envkey-releases.s3.amazonaws.com/latest/desktop-version.txt) \
&& ARTIFACT_URL=https://envkey-releases.s3.amazonaws.com/desktop/release_artifacts/$LATEST_VERSION/EnvKey-$LATEST_VERSION.AppImage \
&& curl -O $ARTIFACT_URL -O $ARTIFACT_URL.minisig \
&& { minisign -Vm $(basename $ARTIFACT_URL) -P "RWQ5lgVbbidOxaoIEsqZjbI6hHdS5Ri/SrDk9rNFFgiQZ4COuk6Li2HK" || { rm $(basename $ARTIFACT_URL) && $(basename $ARTIFACT_URL).minisig &&  echo "Error: ${basename $ARTIFACT_URL} signature invalid. Exiting with error." >&2; exit 1; }; } \
&& echo $(basename $ARTIFACT_URL) verified \
&& chmod +x $(basename $ARTIFACT_URL) \
&& ./$(basename $ARTIFACT_URL) \
&& rm $(basename $ARTIFACT_URL) $(basename $ARTIFACT_URL).minisig

👍

Mac and Windows signatures

Mac and Windows builds of the EnvKey UI are verified by the OS, so no additional verification of these archives is needed. That said, .minisig signatures are still generated for all Mac and Windows artifacts, so you can verify them with minisign if you want to. You can find a list of all UI artifacts for every release here.

Verify and install envkey-source from standalone install script

To verify the standalone install script for envkey-source, then install the latest version:

LATEST_VERSION=$(curl https://envkey-releases.s3.amazonaws.com/latest/envkeysource-version.txt) \
&& ARTIFACT_URL=https://envkey-releases.s3.amazonaws.com/envkeysource/release_artifacts/$LATEST_VERSION/install.sh \
&& curl -O $ARTIFACT_URL -O $ARTIFACT_URL.minisig \
&& { minisign -Vm install.sh -P "RWQ5lgVbbidOxaoIEsqZjbI6hHdS5Ri/SrDk9rNFFgiQZ4COuk6Li2HK" || { rm install.sh && install.sh.minisig &&  echo "Error: install.sh signature invalid. Exiting with error." >&2; exit 1; }; } \
&& echo install.sh verified \
&& chmod +x install.sh \
&& ./install.sh \
&& rm install.sh install.sh.minisig

Verify and install EnvKey CLI from standalone install script

To verify the standalone install script for the EnvKey CLI, then install the latest version:

LATEST_VERSION=$(curl https://envkey-releases.s3.amazonaws.com/latest/cli-version.txt) \
&& ARTIFACT_URL=https://envkey-releases.s3.amazonaws.com/cli/release_artifacts/$LATEST_VERSION/install.sh \
&& curl -O $ARTIFACT_URL -O $ARTIFACT_URL.minisig \
&& { minisign -Vm install.sh -P "RWQ5lgVbbidOxaoIEsqZjbI6hHdS5Ri/SrDk9rNFFgiQZ4COuk6Li2HK" || { rm install.sh && install.sh.minisig &&  echo "Error: install.sh signature invalid. Exiting with error." >&2; exit 1; }; } \
&& echo install.sh verified \
&& chmod +x install.sh \
&& ./install.sh \
&& rm install.sh install.sh.minisig

👍

Standalone install scripts and UI auto-install verification

If you have minisign installed on your system (and available in your $PATH), and you run the standalone install script for either envkey-source or the EnvKey CLI, the scripts will verify the downloaded binaries during installation. So by verifying the install.sh script in the examples above, you'll verify both the install script and the binaries it downloads and installs.

The EnvKey UI also verifies signatures for the envkey-source and EnvKey CLI binaries when it auto-installs them, both on first run and subsequent user-initiated updates.

Verify other release artifacts

Urls for all release artifacts can be found on the releases page of the EnvKey v2 monorepo.