The hashes of the binary artefacts of the rclone release are signed with a public PGP/GPG key. This can be verified manually as described below.
The same mechanism is also used by rclone selfupdate to verify that the release has not been tampered with before the new update is installed. This checks the SHA256 hash and the signature with a public key compiled into the rclone binary.
You may obtain the release signing key from:
gpg --keyserver hkps://keys.openpgp.org --search firstname.lastname@example.org
gpg --keyserver hkps://keyserver.ubuntu.com --search email@example.com
After importing the key, verify that the fingerprint of one of the
FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA as this key is used for signing.
We recommend that you cross-check the fingerprint shown above through the domains listed below. By cross-checking the integrity of the fingerprint across multiple domains you can be confident that you obtained the correct key.
dig key.rclone.org txt
If you find anything that doesn't not match, please contact the developers at once.
In the release directory you will see the release files and some files called
$ rclone lsf --http-url https://downloads.rclone.org/v1.63.1 :http: MD5SUMS SHA1SUMS SHA256SUMS rclone-v1.63.1-freebsd-386.zip rclone-v1.63.1-freebsd-amd64.zip ... rclone-v1.63.1-windows-arm64.zip rclone-v1.63.1.tar.gz version.txt
SHA256SUMS contain hashes of the
binary files in the release directory along with a signature.
$ rclone cat --http-url https://downloads.rclone.org/v1.63.1 :http:SHA256SUMS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 f6d1b2d7477475ce681bdce8cb56f7870f174cb6b2a9ac5d7b3764296ea4a113 rclone-v1.63.1-freebsd-386.zip 7266febec1f01a25d6575de51c44ddf749071a4950a6384e4164954dff7ac37e rclone-v1.63.1-freebsd-amd64.zip ... 66ca083757fb22198309b73879831ed2b42309892394bf193ff95c75dff69c73 rclone-v1.63.1-windows-amd64.zip bbb47c16882b6c5f2e8c1b04229378e28f68734c613321ef0ea2263760f74cd0 rclone-v1.63.1-windows-arm64.zip -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQT79zfs6firGGBL0qyTk14C/ztU+gUCZLVKJQAKCRCTk14C/ztU +pZuAJ0XJ+QWLP/3jCtkmgcgc4KAwd/rrwCcCRZQ7E+oye1FPY46HOVzCFU3L7g= =8qrL -----END PGP SIGNATURE-----
The first step is to download the binary and SUMs file and verify that
the SUMs you have downloaded match. Here we download
rclone-v1.63.1-windows-amd64.zip - choose the binary (or binaries)
appropriate to your architecture. We've also chosen the
as these are the most secure. You could verify the other types of hash
also for extra security.
rclone selfupdate verifies just the
$ mkdir /tmp/check $ cd /tmp/check $ rclone copy --http-url https://downloads.rclone.org/v1.63.1 :http:SHA256SUMS . $ rclone copy --http-url https://downloads.rclone.org/v1.63.1 :http:rclone-v1.63.1-windows-amd64.zip .
First verify the signatures on the SHA256 file.
Import the key. See above for ways to verify this key is correct.
$ gpg --keyserver keyserver.ubuntu.com --receive-keys FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA gpg: key 93935E02FF3B54FA: public key "Nick Craig-Wood <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1
Then check the signature:
$ gpg --verify SHA256SUMS gpg: Signature made Mon 17 Jul 2023 15:03:17 BST gpg: using DSA key FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA gpg: Good signature from "Nick Craig-Wood <email@example.com>" [ultimate]
Verify the signature was good and is using the fingerprint shown above.
SHA1SUMS if desired.
Now that we know the signatures on the hashes are OK we can verify the binaries match the hashes, completing the verification.
$ sha256sum -c SHA256SUMS 2>&1 | grep OK rclone-v1.63.1-windows-amd64.zip: OK
Or do the check with rclone
$ rclone hashsum sha256 -C SHA256SUMS rclone-v1.63.1-windows-amd64.zip 2023/09/11 10:53:58 NOTICE: SHA256SUMS: improperly formatted checksum line 0 2023/09/11 10:53:58 NOTICE: SHA256SUMS: improperly formatted checksum line 1 2023/09/11 10:53:58 NOTICE: SHA256SUMS: improperly formatted checksum line 49 2023/09/11 10:53:58 NOTICE: SHA256SUMS: 4 warning(s) suppressed... = rclone-v1.63.1-windows-amd64.zip 2023/09/11 10:53:58 NOTICE: Local file system at /tmp/check: 0 differences found 2023/09/11 10:53:58 NOTICE: Local file system at /tmp/check: 1 matching files
You can verify the signatures and hashes in one command line like this:
$ gpg --decrypt SHA256SUMS | sha256sum -c --ignore-missing gpg: Signature made Mon 17 Jul 2023 15:03:17 BST gpg: using DSA key FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA gpg: Good signature from "Nick Craig-Wood <firstname.lastname@example.org>" [ultimate] gpg: aka "Nick Craig-Wood <email@example.com>" [unknown] rclone-v1.63.1-windows-amd64.zip: OK