Public key for verifying download signatures?

I prefer to verify and authenticate software I download before installing it, but I have been unable to locate Etcher’s page that provides fingerprints, signature files, etc.

Am I missing something?

1 Like

On the github release pages, you have files named latest-<platform>.yml, they contain the sha512 of the installers. See here for example:

zvin, thank you. I know now to go there for downloads, as the [latest-mac.yml] gives the hash value for the .zip file, rather than the .dmg file on the Downloads page.

There are two issues, however.

  1. I still need the Public Key and Signing Key in order to verify signatures.

  2. The hash values in the .yml file didn’t match those that I generated on the command line. Here are my results:
    From latest-mac.yml: sha512: qM6gtHhffpRzeHyXy3WYx+MWG0hLp8FMyfsbR3JrynLbGP/b1TkKovG3JW8DCgFQpMzsxuQt+VQvAWwJb/HUnQ==

From Mac Terminal shasum -a 512

Advice, please?

This was covered in

To verify the release with what’s currently available on github you can run:
curl -sSfL | openssl dgst -sha512 -binary | openssl enc -base64

I’m not sure what you mean by:

I still need the Public Key and Signing Key in order to verify signatures

as far as I’m aware we don’t currently provide signatures, only artifact checksums

qM6gtHhffpRzeHyXy3WYx+MWG0hLp8FMyfsbR3JrynLbGP/b1TkKovG3JW8DCgFQpMzsxuQt+VQvAWwJb/HUnQ== is the base64 encoded sha512

You can get it in hexadecimal format with
echo M6gtHhffpRzeHyXy3WYx+MWG0hLp8FMyfsbR3JrynLbGP/b1TkKovG3JW8DCgFQpMzsxuQt+VQvAWwJb/HUnQ== | base64 -d | hex

or with python
python3 -c 'from base64 import b64decode; from sys import argv; from codecs import encode; print(encode(b64decode(argv[1]), "hex"))' qM6gtHhffpRzeHyXy3WYx+MWG0hLp8FMyfsbR3JrynLbGP/b1TkKovG3JW8DCgFQpMzsxuQt+VQvAWwJb/HUnQ==

Well, public key/signing key verifies that the downloaded software is the actual software the Team produced. Hash validates that there was no download fault. Both are necessary.

In the link, AreDubya appears right. The approach I used: shasum -a 512 should match what you provide in "latest-.yml . This is the standard approach used in software hash-checking (though most use 256 in lieu of 512). There are certainly other ways to compare the output - I use the simplest; generate them both then visually compare the output. I use that because I understand it.

robertgzr, thanks for the curl command string, but I don’t understand it and would prefer to avoid software checking with something I don’t understand.


hey @seth this it’s basically doing what @zvin shows above but using openssl:

MacOS and Windows builds are signed.

I don’t think macOS would run unsigned binaries anyway.
You can use codesign -dv --verbose=4 /Applications/ to check the signature.

On Windows, I believe you can access signature information in the executable properties.

zvin: “I don’t think macOS would run unsigned binaries anyway.” I don’t think so, either, but I don’t know how the signing works. If a person is phished to another site in which the binary is signed, but not by balena-Etcher, would it still run? One common way of injecting adware/malware onto a system is to encapsulate a good product with malware; would the encapsulator signature then be installable because it’s signed? I don’t know the answers to these things.

I do know that I have a reasonable amount of open source software on my machine, including KeePass variants, OpenVPN, nmap, gpgTools, Ubuntu, Mint among them, and all of them provide PK signature verification, as well as artifact checksums validation. I hope balena-Etcher does so in the future.


This does seem like a fairly reasonable request. Would you be able to create an issue on the balena-etcher repo? This would probably be the best place to pursue this.

Certainly. I’ll ask a friend to do it.

Done, issue #2850: