Verifying the Proton Mail Bridge package for Linux
We provide a signature to verify that the Bridge software you download originates from us. For Windows and Mac, this check is performed automatically during installation. Linux packages, however, require an additional security check from the user.
Proton Mail Bridge supports both .deb and .rpm versions. If you use the .deb version, the instructions are below. If you use the .rpm version, scroll down to find your instructions. PKGBuild installations are automatically verified.
At the time of writing, the current Proton Mail Bridge version is 3.8.2. This will change in the future, so make sure to write the correct version in the commands. If you did not do that, the Bridge should update to the newest version soon.
How to verify the DEB package
The Proton Mail Bridge DEB package is signed using the program debsigs.
First, make sure debsig-verify
and debian-keyring
are installed.
sudo apt-get install debsig-verify debian-keyring
Download the public key
wget https://proton.me/download/bridge/bridge_pubkey.gpg
Import the public key to your system
gpg --dearmor --output debsig.gpg bridge_pubkey.gpg
sudo mkdir -p /usr/share/debsig/keyrings/E2C75D68E6234B07
sudo mv debsig.gpg /usr/share/debsig/keyrings/E2C75D68E6234B07
We have to use sudo
here since this location is under root’s ownership.
Download and install the policy file
wget
https://proton.me/download/bridge/bridge.pol
sudo mkdir -p /etc/debsig/policies/E2C75D68E6234B07
sudo cp bridge.pol /etc/debsig/policies/E2C75D68E6234B07
Make sure you are in the folder where the DEB file is located, then verify the DEB file by running the below command:
debsig-verify protonmail-bridge_3.13.0-1_amd64.deb
In case you have not downloaded Bridge yet, you can run the below command:
wget https://proton.me/download/bridge/protonmail-bridge_3.13.0-1_amd64.deb
If the check passes, you should see this:
debsig: Verified package from 'Proton Technologies AG (ProtonMail Bridge developers) [email protected]'
Install the package using your package manager:
sudo apt install ./protonmail-bridge_3.13.0-1_amd64.deb
How to verify RPM package
The Proton Mail Bridge RPM package is signed using the rpm –sign.
The public key bridge_pubkey.gpg can found here.
You can use the below command to download it:
wget https://proton.me/download/bridge_pubkey.gpg
To import the Bridge app’s public key to your keyring, use the following instructions:
sudo rpm --import bridge_pubkey.gpg
To check the .rpm file run:
rpm --checksig protonmail-bridge-3.13.0-1.x86_64.rpm
If you have not downloaded the Bridge, you can do so with the below command:
wget https://proton.me/download/bridge/protonmail-bridge-3.13.0-1.x86_64.rpm
protonmail-bridge-3.13.0-1.x86_64.rpm: digests signatures OK
Then, to install the Bridge, run the below command:
sudo dnf install ./protonmail-bridge-3.13.0-1.x86_64.rpm
If you still face issues verifying the file, you might have an older key which you should remove to ensure the verification passes.
package protonmail-bridge-3.13.0-1.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID e6234b07: NOTTRUSTED
To list the available keys, run the following command:
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
You should see something similar to this:
gpg-pubkey-18b8e74c-62f2920f Fedora (39) <[email protected]> public key
gpg-pubkey-xxxxxxxx-xxxxxxx Proton Technologies AG (ProtonMail Bridge developers) <[email protected]> public key
To remove the key, run the below command:
sudo rpm -e gpg-pubkey-xxxxxxxx-xxxxxxx
Confirm the key has been removed by running the list command again and you should now be able to install the RPM file.
How to verify the PKGBUILD
It is not necessary to verify the PKGBuild, as the package is verified automatically during the build.