If you believe that you've found a Syncthing-related security vulnerability,
please report it by emailing firstname.lastname@example.org. Do not report it in the
open issue tracker. The security team PGP key
B683AD7B76CAB013) can be used to send encrypted mail or
to verify responses received from that address.
The release PGP key (
D26E6ED000654A3E) can be used to
verify the signatures on the official binary releases.
Download the release (tar.gz file) and the checksum sha1sum.txt.asc file.
Example verifying release v0.14.11:
$ curl -sLO https://github.com/syncthing/syncthing/releases/download/v0.14.11/syncthing-linux-amd64-v0.14.11.tar.gz $ curl -sLO https://github.com/syncthing/syncthing/releases/download/v0.14.11/sha1sum.txt.asc
Verify that the SHA1 checksum is correct for the release. Errors will be printed for the release files you did not download - these can be ignored. The important line is shown below in bold indicating the checksum is “OK” for the downloaded release file.
$ sha1sum -c sha1sum.txt.asc ... sha1sum: syncthing-linux-386-v0.14.11.tar.gz: No such file or directory syncthing-linux-386-v0.14.11.tar.gz: FAILED open or read syncthing-linux-amd64-v0.14.11.tar.gz: OK sha1sum: syncthing-linux-armv5-v0.14.11.tar.gz: No such file or directory syncthing-linux-armv5-v0.14.11.tar.gz: FAILED open or read ... sha1sum: WARNING: 20 lines are improperly formatted sha1sum: WARNING: 12 listed files could not be read
Import the old and new release keys (only necessary if you haven't done this previously).
$ gpg --keyserver pool.sks-keyservers.net --recv-key 49F5AEC0BCE524C7 D26E6ED000654A3E gpg: requesting key BCE524C7 from hkp server pool.sks-keyservers.net gpg: requesting key 00654A3E from hkp server pool.sks-keyservers.net gpg: key BCE524C7: public key "Jakob Borg (calmh) <email@example.com>" imported gpg: key 00654A3E: public key "Syncthing Release Management <firstname.lastname@example.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 2 gpg: imported: 2 (RSA: 2)
Verify the signature on the checksum file. Again, the bolded line is the important one.
$ gpg --verify sha1sum.txt.asc gpg: Signature made Tue Nov 15 07:44:49 2016 CET gpg: using RSA key D26E6ED000654A3E gpg: Good signature from "Syncthing Release Management <email@example.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.