GPG verification process is pretty rough

[AndySchroder]

I go to

https://delta.chat/en/verify-downloads

it says

You can find detailed instructions for verification at https://download.delta.chat/desktop/v<version>/signature.asc

I then go to https://delta.chat/en/download. There is no direct link to https://download.delta.chat/desktop/v<version>/signature.asc for the current version.

I then take a look at the link https://download.delta.chat/desktop/v2.35.0/deltachat-desktop_2.35.0_amd64.deb

and decide to browse to

https://download.delta.chat/desktop/v2.35.0/

to see what might be there.

I find https://download.delta.chat/desktop/v2.35.0/signatures/ , but I have no idea what those files are for. Then I find

https://download.delta.chat/desktop/v2.35.0/signature.asc

inside signature.asc I see

$ cat signature.asc 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Checksums (shasum):

4c8702252940343c7dfa41519e6cce180ee8be61  DeltaChat-2.35.0-Portable.x64.exe
292fcf80daf60462fe055e9ecbe84a3a53af6902  DeltaChat-2.35.0-Setup.x64.exe
bda96c21181014b0657c4713dac25a64d033ceae  DeltaChat-2.35.0-arm64.AppImage
1b318bc59a9d3534c18b87d473d71fbf42e76580  DeltaChat-2.35.0-arm64.dmg
08cd7cca9d03eaa4958b6f4fde0725cab6d70e21  DeltaChat-2.35.0-universal.dmg
1c9cf86e9dc56d6dd6cdfb60c4cfd445c6a95612  DeltaChat-2.35.0-x86_64.AppImage
b70cc83bf16878b92617ea28f7705b8143973466  deltachat-desktop-2.35.0-aarch64.pacman
093477588baaa62462b0feb246606ea0b43d2034  deltachat-desktop-2.35.0-arm64.tar.gz
c21d714519fa869056797780fcc44aa6a526e490  deltachat-desktop-2.35.0.aarch64.rpm
93fee54dd61194b3612eba8672e27a9748dec92e  deltachat-desktop-2.35.0.pacman
a50afde5d630019deb26d5ee792b1cc3e0cc9319  deltachat-desktop-2.35.0.tar.gz
5885d9dd6b19f50946f7cf59cc9772b5779ac1bb  deltachat-desktop-2.35.0.x86_64.rpm
7f6f7db44cb58e11efdb755e109988d4cf386561  deltachat-desktop_2.35.0_amd64.deb
5f5d227ae61cc64fd5a0052137f285fa9aed657f  deltachat-desktop_2.35.0_arm64.deb
88117292d60dea736ee0c3d0fb8ac58261771b92  deltachat-tauri-2.35.0-1.x86_64.rpm
8b41117f876a2faf34538a3e15b74bb00bc4b6e5  deltachat-tauri_2.35.0_aarch64.dmg
3a6330deb5a4c48e1e8b3234c4194385c715b529  deltachat-tauri_2.35.0_amd64.AppImage
6d61340f65e3a290c0e98aff352ac936a8738016  deltachat-tauri_2.35.0_amd64.deb
f7544a371c9ab774e35e2de6dd6f5daa002639a3  deltachat-tauri_2.35.0_universal.dmg
ab9a623fa43fc09c268af19db852454c301a716d  deltachat-tauri_2.35.0_x64-setup.exe
a794881bc862d6d9de62e7dc90393260a1693335  deltachat-tauri_2.35.0_x64_en-US.msi

Checksums (shasum -a 512):

b67e3e0fde06a1a98631a5a4a32221de879e28029542726bc8646418ba90db2b681b46130b9cb955e3b470a7a007c6d067da3a317cafc6d3d13dc28d242cf0be  DeltaChat-2.35.0-Portable.x64.exe
5a83e282dfa98908a0dadd19260405c8093dd2a3b0c451cc281f05034bc6900751b8b86cb1bfd68d5ff2f14373f31f2426213c7f615720853d509930fa4ef9b1  DeltaChat-2.35.0-Setup.x64.exe
34bebfba5d83a10a0ebb2ded889eeedd2b22f9fbf845fa23f7ef1997acb12991c2ef74a4025ed599dc38c7f52d7413fcf586e9fb90a9deebdd8f06caf504faab  DeltaChat-2.35.0-arm64.AppImage
f30ba5e1e7c83ba3abf2ff84dceaed0622c24bffbaa86ce4cb2538e367e1a59774dbfe38dd206035183baeb06985d3079f924c75dfea869ec872098f50c0acd9  DeltaChat-2.35.0-arm64.dmg
22d98e0c83c901c59132bc44039cab57722d355999ff348f344b772c55860ca5ade48a19f0a670324f2a06813368eedef094693e76f9950f0c1068889fb6ad2b  DeltaChat-2.35.0-universal.dmg
6116dde143c4aa30fabc4df49250d89ef8636ba27cffdddb320153a802183747ff69fa51fa5a5c770d445a573bd713449ef3a8014fc107fc1ebc102420a3ce7f  DeltaChat-2.35.0-x86_64.AppImage
88283de67c66969b6c5fcb37719803fb2c09f84145f8a0d90b3a9e04864769999e004fd6810ded3629943e0375d830a125d83628874af092e5bfd4861653523e  deltachat-desktop-2.35.0-aarch64.pacman
0492c73bb7957ba370f4852c601c98be058d1a05820d9639bbc07bb3fc95fbe98a16f7a53dd83c18cf276bf5ec17bb2d0239086a68ed589daa1a7de42c70a5ce  deltachat-desktop-2.35.0-arm64.tar.gz
a6298cafdb1b81fc34ff8e2e7b65372e44b3e1bb8be1614c2df81d4297776a3d6fe3c720e82c26c7b0c2cc766ce36742c5c1a30801355c2206ed085259e97eb9  deltachat-desktop-2.35.0.aarch64.rpm
ca697dd2197ba462731152734a1e598eadeb986c03e3a2ccf178d87333210a4fcb0de251873fc730a20e39b3c6f5f45fc324db91539a140632e31a445c113772  deltachat-desktop-2.35.0.pacman
656fe23898a3ba02d3146f3b60143d63b5ec20ab1ad05b4f37127903bdbfd7fa90c4ceb05af9898942393207b064eaddbab50336c00db10bdc2ad85177b1c489  deltachat-desktop-2.35.0.tar.gz
ec7e02f159598b7f56e586cebc47e3a87171e1f3d20adcfc8d6b6b3d1ab7ccbd968ecb90ab3d7e34d37fc5af15ac4293d8248219bed0d5d75c1669381d64a330  deltachat-desktop-2.35.0.x86_64.rpm
fefd8e6826c73ce8d52a8ae662922cf9a7cef50b25a19cbdd75b1efbae1822b7ded6f87ab9a32bcd111fad66a14253913cc666c894e076a8daa3a7aa40c951c2  deltachat-desktop_2.35.0_amd64.deb
70f9aa9dedb5378da3121ead932111a5cac1e9ce94e02918c6b3c6f746d9de49d6c90dca0e604898f4843fc1bb0d6097d1be936edce61e646f5bf55b9c294965  deltachat-desktop_2.35.0_arm64.deb
52c9078bc39fb18a96f212b2324707a73f63ea08ebe67884e1394d993e5c0d5e513947f5fde196de3100f3282f904b19a97c684eafc1e017255d84f57995ca8c  deltachat-tauri-2.35.0-1.x86_64.rpm
fbfb47cb3570af7859a1ff9bddafc7ab373398c6f0bc89c526ef5e90a969045fa88d8cce535451bc554ebd1b20671e9bc64e787f0cbf06fc46b5a2a5c7dfed32  deltachat-tauri_2.35.0_aarch64.dmg
18b37e087520d5c1a2715e0478911bc284e6b12bf94e725ae0d17fc9bbe49d1c27a0690b9aa1925e97f5eb2fc463beb51ad1ca58ac3e5c5cce64ad78e46528c2  deltachat-tauri_2.35.0_amd64.AppImage
a22e6698e5c33787da7d94a73308d3e97f577d3ce754011ac4a6fd1477418f9443b9d5d3ca171fe78836d543d754848a8e3f73771ef1272dbaf2e7c984a39b86  deltachat-tauri_2.35.0_amd64.deb
9bf31a4eb42c9b911f92d044af3fe94f62d6fec2ca8f343b294efa2533fc70a16d9c5bdc39d1ea7353ea0b1014f7930df966f204de58c242136bb5582203d809  deltachat-tauri_2.35.0_universal.dmg
97a217717037f0594b563e1bfc11653c3df5c535b4247d9a56e3bff2e3badb55eb0a8e31c18aa001f5df02a4f78dff2f3061953530ebeac1fb920456f7790a0d  deltachat-tauri_2.35.0_x64-setup.exe
21bdcf51003cdd685133d4c4e76b8c33c7794026de553c30212e863f02d8baf4cada3daf706520606e5a04a4b83b2de5dd4f97f3e240bffd6ea1d82507f11380  deltachat-tauri_2.35.0_x64_en-US.msi

Instructions:

run one or both of these commands.

shasum -c checksums
shasum -a 512 -c sha512-checksums


Verify signature:

you can use rsop or gpg.

cat signature.asc | rsop inline-verify deltachat_certificate.asc


in gpg you need to first import the public key and after that you can verify the file.

gpg --import deltachat_certificate.asc
gpg --verify signature.asc


In scripts you can also do something like this:

rsop verify signatures/DeltaChat-1.59.0-Portable.x64.exe.sig deltachat_certificate.asc < DeltaChat-1.59.0-Portable.x64.exe


-----BEGIN PGP SIGNATURE-----

wnUEARYKAB0WIQRjzR+BW6VgUYN2mZxibibIFpUTCAUCaUqrnAAKCRBibibIFpUT
CFWSAQDwBJc0jzOsyy/LKIFpiq1kPz9GwBttHA9QTotaz0qT3gEAwFTHuwdLQo7e
AvoE4W7qEwqKvzRSYYwWJ8Unadg2lQ8=
=M80U
-----END PGP SIGNATURE-----

First off, this is a bit weird that you have the hashes inside the same file that you have some verification instructions. I was confused with

You can find detailed instructions for verification at https://download.delta.chat/desktop/v<version>/signature.asc

at the beginning but I was so lost I decided to see what was in that file.

I'm very confused why you are hashing with the sha1 algorithm. This seems like a waste because it is not secure and you are using sha512. Providing both is just really confusing to the user.

Next I have to figure out that I need to download

https://download.delta.chat/desktop/v2.35.0/sha512-checksums

Next I get

$ shasum -a 512 -c sha512-checksums
shasum: DeltaChat-2.35.0-Portable.x64.exe: No such file or directory
DeltaChat-2.35.0-Portable.x64.exe: FAILED open or read
shasum: DeltaChat-2.35.0-Setup.x64.exe: No such file or directory
DeltaChat-2.35.0-Setup.x64.exe: FAILED open or read
shasum: DeltaChat-2.35.0-arm64.AppImage: No such file or directory
DeltaChat-2.35.0-arm64.AppImage: FAILED open or read
shasum: DeltaChat-2.35.0-arm64.dmg: No such file or directory
DeltaChat-2.35.0-arm64.dmg: FAILED open or read
shasum: DeltaChat-2.35.0-universal.dmg: No such file or directory
DeltaChat-2.35.0-universal.dmg: FAILED open or read
shasum: DeltaChat-2.35.0-x86_64.AppImage: No such file or directory
DeltaChat-2.35.0-x86_64.AppImage: FAILED open or read
shasum: deltachat-desktop-2.35.0-aarch64.pacman: No such file or directory
deltachat-desktop-2.35.0-aarch64.pacman: FAILED open or read
shasum: deltachat-desktop-2.35.0-arm64.tar.gz: No such file or directory
deltachat-desktop-2.35.0-arm64.tar.gz: FAILED open or read
shasum: deltachat-desktop-2.35.0.aarch64.rpm: No such file or directory
deltachat-desktop-2.35.0.aarch64.rpm: FAILED open or read
shasum: deltachat-desktop-2.35.0.pacman: No such file or directory
deltachat-desktop-2.35.0.pacman: FAILED open or read
shasum: deltachat-desktop-2.35.0.tar.gz: No such file or directory
deltachat-desktop-2.35.0.tar.gz: FAILED open or read
shasum: deltachat-desktop-2.35.0.x86_64.rpm: No such file or directory
deltachat-desktop-2.35.0.x86_64.rpm: FAILED open or read
deltachat-desktop_2.35.0_amd64.deb: OK
shasum: deltachat-desktop_2.35.0_arm64.deb: No such file or directory
deltachat-desktop_2.35.0_arm64.deb: FAILED open or read
shasum: deltachat-tauri-2.35.0-1.x86_64.rpm: No such file or directory
deltachat-tauri-2.35.0-1.x86_64.rpm: FAILED open or read
shasum: deltachat-tauri_2.35.0_aarch64.dmg: No such file or directory
deltachat-tauri_2.35.0_aarch64.dmg: FAILED open or read
shasum: deltachat-tauri_2.35.0_amd64.AppImage: No such file or directory
deltachat-tauri_2.35.0_amd64.AppImage: FAILED open or read
shasum: deltachat-tauri_2.35.0_amd64.deb: No such file or directory
deltachat-tauri_2.35.0_amd64.deb: FAILED open or read
shasum: deltachat-tauri_2.35.0_universal.dmg: No such file or directory
deltachat-tauri_2.35.0_universal.dmg: FAILED open or read
shasum: deltachat-tauri_2.35.0_x64-setup.exe: No such file or directory
deltachat-tauri_2.35.0_x64-setup.exe: FAILED open or read
shasum: deltachat-tauri_2.35.0_x64_en-US.msi: No such file or directory
deltachat-tauri_2.35.0_x64_en-US.msi: FAILED open or read
shasum: WARNING: 20 listed files could not be read

Next, I'm confused why you don't encourage the user to do something more appropriate like

$ shasum -a 512 -c --ignore-missing sha512-checksums
deltachat-desktop_2.35.0_amd64.deb: OK

.

Now, you've told me to run

$ gpg --verify signature.asc
gpg: Signature made Tue 23 Dec 2025 09:47:56 AM EST
gpg:                using EDDSA key 63CD1F815BA560518376999C626E26C816951308
gpg: Good signature from "deltachat-signing@merlinux.eu" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 63CD 1F81 5BA5 6051 8376  999C 626E 26C8 1695 1308

However, we've never checked a signature for the file sha512-checksums. So, the only way I have to link the has that I verified to a signature is to run and dig through.

$ diff signature.asc sha512-checksums 
1,29d0
< -----BEGIN PGP SIGNED MESSAGE-----
< Hash: SHA512
< 
< Checksums (shasum):
< 
< 4c8702252940343c7dfa41519e6cce180ee8be61  DeltaChat-2.35.0-Portable.x64.exe
< 292fcf80daf60462fe055e9ecbe84a3a53af6902  DeltaChat-2.35.0-Setup.x64.exe
< bda96c21181014b0657c4713dac25a64d033ceae  DeltaChat-2.35.0-arm64.AppImage
< 1b318bc59a9d3534c18b87d473d71fbf42e76580  DeltaChat-2.35.0-arm64.dmg
< 08cd7cca9d03eaa4958b6f4fde0725cab6d70e21  DeltaChat-2.35.0-universal.dmg
< 1c9cf86e9dc56d6dd6cdfb60c4cfd445c6a95612  DeltaChat-2.35.0-x86_64.AppImage
< b70cc83bf16878b92617ea28f7705b8143973466  deltachat-desktop-2.35.0-aarch64.pacman
< 093477588baaa62462b0feb246606ea0b43d2034  deltachat-desktop-2.35.0-arm64.tar.gz
< c21d714519fa869056797780fcc44aa6a526e490  deltachat-desktop-2.35.0.aarch64.rpm
< 93fee54dd61194b3612eba8672e27a9748dec92e  deltachat-desktop-2.35.0.pacman
< a50afde5d630019deb26d5ee792b1cc3e0cc9319  deltachat-desktop-2.35.0.tar.gz
< 5885d9dd6b19f50946f7cf59cc9772b5779ac1bb  deltachat-desktop-2.35.0.x86_64.rpm
< 7f6f7db44cb58e11efdb755e109988d4cf386561  deltachat-desktop_2.35.0_amd64.deb
< 5f5d227ae61cc64fd5a0052137f285fa9aed657f  deltachat-desktop_2.35.0_arm64.deb
< 88117292d60dea736ee0c3d0fb8ac58261771b92  deltachat-tauri-2.35.0-1.x86_64.rpm
< 8b41117f876a2faf34538a3e15b74bb00bc4b6e5  deltachat-tauri_2.35.0_aarch64.dmg
< 3a6330deb5a4c48e1e8b3234c4194385c715b529  deltachat-tauri_2.35.0_amd64.AppImage
< 6d61340f65e3a290c0e98aff352ac936a8738016  deltachat-tauri_2.35.0_amd64.deb
< f7544a371c9ab774e35e2de6dd6f5daa002639a3  deltachat-tauri_2.35.0_universal.dmg
< ab9a623fa43fc09c268af19db852454c301a716d  deltachat-tauri_2.35.0_x64-setup.exe
< a794881bc862d6d9de62e7dc90393260a1693335  deltachat-tauri_2.35.0_x64_en-US.msi
< 
< Checksums (shasum -a 512):
< 
51,84d21
< 
< Instructions:
< 
< run one or both of these commands.
< ```
< shasum -c checksums
< shasum -a 512 -c sha512-checksums
< ```
< 
< Verify signature:
< 
< you can use rsop or gpg.
< ```
< cat signature.asc | rsop inline-verify deltachat_certificate.asc
< ```
< 
< in gpg you need to first import the public key and after that you can verify the file.
< ```
< gpg --import deltachat_certificate.asc
< gpg --verify signature.asc
< ```
< 
< In scripts you can also do something like this:
< ```
< rsop verify signatures/DeltaChat-1.59.0-Portable.x64.exe.sig deltachat_certificate.asc < DeltaChat-1.59.0-Portable.x64.exe
< ```
< 
< -----BEGIN PGP SIGNATURE-----
< 
< wnUEARYKAB0WIQRjzR+BW6VgUYN2mZxibibIFpUTCAUCaUqrnAAKCRBibibIFpUT
< CFWSAQDwBJc0jzOsyy/LKIFpiq1kPz9GwBttHA9QTotaz0qT3gEAwFTHuwdLQo7e
< AvoE4W7qEwqKvzRSYYwWJ8Unadg2lQ8=
< =M80U
< -----END PGP SIGNATURE-----

I'd suggest you try to mimic the workflow of these projects as they are very straightforward:

• https://sparrowwallet.com/download/
• https://bitcoincore.org/en/download/
• https://ubuntu.com/tutorials/how-to-verify-ubuntu#1-overview

[AndySchroder]

Also, at https://delta.chat/en/verify-downloads I'd recommend you include the primary key fingerprint

63CD 1F81 5BA5 6051 8376  999C 626E 26C8 1695 1308

on the text of the web page.

[nicodh]

Thanks for the feedback! Seems there is quite some space to improve in that area.