Verifying the Proton Mail Bridge package for Linux
We provide a signature to verify that the Bridge software you download originates from us. For Windows and Mac, this check is performed automatically during installation. Linux packages, however, require an additional security check from the user.
Proton Mail Bridge supports both .deb and .rpm versions. If you use the .deb version, the instructions are below. If you use the .rpm version, scroll down to find your instructions.
How to verify the DEB package
The Proton Mail Bridge DEB package is signed using the program debsigs. To verify the package’s signature, you need to install:
sudo apt-get install debsig-verify debian-keyring
The Bridge app’s public key bridge_pubkey.gpg can be found here.
To import the Bridge app’s public key to your keyring, use the following commands:
sudo mkdir -p /usr/share/debsig/keyrings/E2C75D68E6234B07
sudo gpg --dearmor --output /usr/share/debsig/keyrings/E2C75D68E6234B07/debsig.gpg bridge_pubkey.gpg
The Bridge app’s policy file, bridge.pol, can be found here.
If you are using Ubuntu 16.04 or derivatives, you need to change the xml namespace to http://…
sed -i s,https://www.debian.org,http://www.debian.org, bridge.pol
Install the policy file
Use the following commands to install the policy file.
sudo mkdir -p /etc/debsig/policies/E2C75D68E6234B07
sudo cp bridge.pol /etc/debsig/policies/E2C75D68E6234B07
To check deb file run
debsig-verify protonmail-bridge_3.1.1-1_amd64.deb
The successful result should look like this:
debsig: Verified package from 'Proton Technologies AG (ProtonMail Bridge developers) bridge@protonmail.ch'
Instruction to verify RPM package
The Proton Mail Bridge RPM package is signed using the rpm –sign.
The public key bridge_pubkey.gpg can found here.
To import the Bridge app’s public key to your keyring, use the following instructions:
sudo rpm --import bridge_pubkey.gpg
To check the .rpm file run:
rpm --checksig protonmail-bridge-3.1.1-1.x86_64.rpm
The successful result should look like this:
protonmail-bridge-3.1.1-1.x86_64.rpm: digests signatures OK
In the commands, make sure you enter the latest version of the Bridge app. If the latest version is displayed as v3.1.1, enter it as 3.1.1.-1.
How to verify the PKGBUILD
This is not necessary. The package is verified automatically during the build.