runZero binary verification
runZero uses dynamically generated binaries for the runZero CLI and runZero Explorer downloads. Although Windows binaries have a valid Authenticode signature, all binaries also contain a secondary, internal signature. Dynamic binaries make it easy to deploy Explorers that connect back to the right organization, but present a challenge for independent integrity validation. To enable verification of the internal signature, we offer the runZero Verifier. This verification tool can confirm whether a given binary contains a valid internal signature, in addition to any existing Authenticode signatures.
To get started, download the latest version of the verifier from the bottom of this page along with the PGP signature file for the selected architecture.
The runZero Verifier is always signed by PGP Key ID 60EBAAE9AEF08C6D
.
To validate the signature of the runZero Verifier for Windows 64-bit, you will need a GPG client and to run the following commands:
C:\> curl -s https://www.runzero.com/.well-known/security.pub.asc | gpg --import
C:\> gpg --verify runzero-verifier-3.1.0-windows-amd64.exe.asc
Successful validation will show a valid signature by key ID 9B5DAFF7D43349298A3039BD60EBAAE9AEF08C6D
.
gpg: Signature made Sun 07 Aug 2022 11:33:15 AM CDT
gpg: using RSA key 9B5DAFF7D43349298A3039BD60EBAAE9AEF08C6D
gpg: issuer "security@runzero.com"
gpg: Good signature from "runZero Security <security@runzero.com>" [unknown]
The warning below is expected and does not indicate a problem with the signature:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Once the runZero Verifier itself has been validated, it can be used to check the signature of any runZero binary:
C:\> runzero-verifier-3.1.0-windows-amd64.exe runzero-explorer-3.1.0-windows-amd64.exe
runzero-explorer-3.1.0-windows-amd64.exe: VALID SIGNATURE
A failed validation will show the error Invalid or missing signature
and the verifier will set exit status to 1.
Binary downloads
Windows
Build | PGP sig | SHA hash |
---|---|---|
runZero Verifier x86 64-bit | pgp signature | sha-256 |
runZero Verifier x86 32-bit | pgp signature | sha-256 |
Linux
Build | PGP sig | SHA hash |
---|---|---|
runZero Verifier x86 64-bit | pgp signature | sha-256 |
runZero Verifier x86 32-bit | pgp signature | sha-256 |
Additional Linux builds
MacOS
Build | PGP sig | SHA hash |
---|---|---|
runZero Verifier x86 64-bit | pgp signature | sha-256 |
runZero Verifier ARM 64-bit | pgp signature | sha-256 |
BSD Variants
FreeBSD
NetBSD
Dragonfly
Build | PGP sig | SHA hash |
---|---|---|
runZero Verifier 64-bit | pgp signature | sha-256 |
OpenBSD
Build | PGP sig | SHA hash |
---|---|---|
runZero Verifier 64-bit | pgp signature | sha-256 |