runZero binary verification

runZero uses dynamically generated binaries for the runZero Scanner and runZero Explorer downloads. Although Windows binaries have a valid Authenticode signature, all binaries also contain a secondary, internal signature. Dynamic binaries make it easy to deploy Explorers that connect back to the right organization, but present a challenge for independent integrity validation. To enable verification of the internal signature, we offer the runZero Verifier. This verification tool can confirm whether a given binary contains a valid internal signature, in addition to any existing Authenticode signatures.

To get started, download the latest version of the verifier from the bottom of this page along with the PGP signature file for the selected architecture.

The runZero Verifier is always signed by PGP Key ID 60EBAAE9AEF08C6D.

To validate the signature of the runZero Verifier for Windows 64-bit, you will need a GPG client and to run the following commands:

C:\> curl -s https://www.runzero.com/.well-known/security.pub.asc | gpg --import
C:\> gpg --verify runzero-verifier-3.1.0-windows-amd64.exe.asc

Successful validation will show a valid signature by key ID 9B5DAFF7D43349298A3039BD60EBAAE9AEF08C6D.

gpg: Signature made Sun 07 Aug 2022 11:33:15 AM CDT
gpg:                using RSA key 9B5DAFF7D43349298A3039BD60EBAAE9AEF08C6D
gpg:                issuer "security@runzero.com"
gpg: Good signature from "runZero Security <security@runzero.com>" [unknown]

The warning below is expected and does not indicate a problem with the signature:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

Once the runZero Verifier itself has been validated, it can be used to check the signature of any runZero binary:

C:\> runzero-verifier-3.1.0-windows-amd64.exe runzero-explorer-3.1.0-windows-amd64.exe
runzero-explorer-3.1.0-windows-amd64.exe: VALID SIGNATURE

A failed validation will show the error Invalid or missing signature and the verifier will set exit status to 1.

Binary downloads

Windows

Build	PGP sig	SHA hash
runZero Verifier x86 64-bit	pgp signature	sha-256
runZero Verifier x86 32-bit	pgp signature	sha-256

Linux

Build	PGP sig	SHA hash
runZero Verifier x86 64-bit	pgp signature	sha-256
runZero Verifier x86 32-bit	pgp signature	sha-256

Additional Linux builds

Build	PGP sig	SHA hash
runZero Verifier ARM v5 32-bit	pgp signature	sha-256
runZero Verifier ARM v6 32-bit	pgp signature	sha-256
runZero Verifier ARM v7 32-bit	pgp signature	sha-256
runZero Verifier ARM 64-bit (aarch64)	pgp signature	sha-256
runZero Verifier PPC 64-bit Little Endian	pgp signature	sha-256
runZero Verifier MIPS 32-bit Big Endian	pgp signature	sha-256
runZero Verifier MIPS 32-bit Little Endian	pgp signature	sha-256
runZero Verifier MIPS 64-bit Big Endian	pgp signature	sha-256
runZero Verifier MIPS 64-bit Little Endian	pgp signature	sha-256
runZero Verifier S390X	pgp signature	sha-256

MacOS

Build	PGP sig	SHA hash
runZero Verifier x86 64-bit	pgp signature	sha-256
runZero Verifier ARM 64-bit	pgp signature	sha-256

BSD Variants

FreeBSD

Build	PGP sig	SHA hash
runZero Verifier x86 64-bit	pgp signature	sha-256
runZero Verifier x86 32-bit	pgp signature	sha-256
runZero Verifier ARM v6 32-bit	pgp signature	sha-256
runZero Verifier ARM v7 32-bit	pgp signature	sha-256

NetBSD

Build	PGP sig	SHA hash
runZero Verifier x86 64-bit	pgp signature	sha-256
runZero Verifier x86 32-bit	pgp signature	sha-256
runZero Verifier ARM v5 32-bit	pgp signature	sha-256
runZero Verifier ARM v6 32-bit	pgp signature	sha-256
runZero Verifier ARM v7 32-bit	pgp signature	sha-256

Dragonfly

Build	PGP sig	SHA hash
runZero Verifier 64-bit	pgp signature	sha-256

OpenBSD

Build	PGP sig	SHA hash
runZero Verifier 64-bit	pgp signature	sha-256

Updated October 22, 2024

Previous: Installing an Explorer Next: Automated MSI deployments