How to verify signatures for Matomo release packages

Contents

We are proud to announce that Matomo releases will now be cryptographically signed using PGP following requests from several community members. In this post we will explain how you can verify the signatures of the Matomo release you downloaded, with instructions for Windows, Mac OS X and Linux.

What is a signature and why should I check it?


How do you know that the Matomo platform you have is really the one we made? Some software sites list sha1 hashes alongside the software on their website, so users can verify that they downloaded the file without any errors. These “checksums” help you answer the question “Did I download this file correctly from whoever sent it to me?” They do a good job at making sure you didn’t have any random errors in your download, but they don’t help you figure out whether you were downloading it from a compromised server. The better question to answer is: “Is this file that I just downloaded the file that Matomo intended me to get?”. Over the years several Matomo users have requested that we start signing our releases.

Where do I get the signatures and the keys that made them?


Each file on our release server builds.matomo.org is accompanied by a file with the same name as the package and the extension .asc. These .asc files are GPG signatures. They allow you to verify the file you’ve downloaded is exactly the one that we intended you to get. For example, matomo-2.9.0.zip is accompanied by matomo-2.9.0.zip.asc.

Currently the signature we use to sign the releases can be found here: builds.matomo.org/signature.asc. For versions below Matomo 4.8.0 Matthieu Aubry was the release manager and signed the Matomo releases. His signature can be found here: builds.matomo.org/signature-pre-4.8.0.asc. The instructions below assume you are verifying a version of Matomo before 4.8.0.

How to verify signatures on Windows


You need to have GnuPG installed before you can verify signatures. Download it from http://gpg4win.org/download.html.

Once it’s installed, use GnuPG to import the key that signed your package. Since GnuPG for Windows is a command-line tool, you will need to use cmd.exe. Unless you edit your PATH environment variable, you will need to tell Windows the full path to the GnuPG program. If you installed GnuPG with the default values, the path should be something like this: C:\Program Files\Gnu\GnuPg\gpg.exe.

For Matomo versions 4.8.0 and above, import Matomo’s key (0x63BB30D0E5D2C749) by starting cmd.exe and typing:

"C:\Program Files\Gnu\GnuPg\gpg2.exe"  --keyserver hkps://keyserver.ubuntu.com --recv-keys F529A27008477483777FC23D63BB30D0E5D2C749

For previous versions, import Matomo Release manager Matthieu’s key (0x416F061063FEE659) with:

"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver keys.gnupg.net --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

After importing the key, you can verify that the fingerprint is correct:

"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237

You should see (for Matomo 4.8.0 and above):

pub rsa4096 2022-02-23 [SC]
       Key fingerprint = F529 A270 0847 7483 777F C23D 63BB 30D0 E5D2 C749
uid                 Matomo <hello@matomo.org>
sub rsa4096 2022-02-23 [E

Or for previous versions:

pub   4096R/5590A237 2013-07-24
      Key fingerprint = 814E 346F A01A 20DB B04B  6807 B5DB D592 5590 A237
uid                  Matthieu Aubry <matt@piwik.org>
uid                  Matthieu Aubry <matthieu.aubry@gmail.com>
sub   4096R/43F0D330 2013-07-24

To verify the signature of the package you downloaded, you will need to download the “.asc” file as well. Assuming you downloaded the package and its signature to your Desktop, run:

"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\matomo-2.9.0.zip.asc C:\Users\Alice\Desktop\matomo-2.9.0.zip

The output should say “Good signature”:

gpg: Signature made Thu 13 Nov 2014 17:42:18 NZDT using RSA key ID 5590A237
gpg: Good signature from "Matthieu Aubry <matt@piwik.org>"
gpg:                 aka "Matthieu Aubry <matthieu.aubry@gmail.com>"

Notice that there may be a warning in case you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

Mac OS X and Linux


On Linux GnuPG is usually installed by default. On Mac OS X, you need to have GnuPG installed before you can verify signatures. You can install it from http://www.gpgtools.org/.

Once it’s installed, use GnuPG to import the key that signed your package. Import Matomo’s key (F529A27008477483777FC23D63BB30D0E5D2C749) for Matomo 4.8.0 and above by typing:

 gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys F529A27008477483777FC23D63BB30D0E5D2C749

Matthieu Aubry signed the Matomo releases before 4.8.0. Import his key (814E346FA01A20DBB04B6807B5DBD5925590A237) by starting the terminal (under “Applications”) and typing:

gpg --keyserver keys.gnupg.net --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

After importing the key, you can verify that the fingerprint is correct:

gpg --fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237

You should see (for Matomo 4.8.0 and above):

pub rsa4096 2022-02-23 [SC] 
      Key fingerprint = F529 A270 0847 7483 777F C23D 63BB 30D0 E5D2 C749 
uid Matomo <hello@matomo.org> 
sub rsa4096 2022-02-23 [E]

Or for Matomo previous versions:

pub 4096R/5590A237 2013-07-24 
      Key fingerprint = 814E 346F A01A 20DB B04B 6807 B5DB D592 5590 A237 
uid Matthieu Aubry <matt@piwik.org> uid Matthieu Aubry <matthieu.aubry@gmail.com> 
sub 4096R/43F0D330 2013-07-24

To verify the signature of the package you downloaded, you will need to download the “.asc” file as well. Assuming you downloaded the package and its signature to your Desktop, run:

gpg --verify /Users/Alice/matomo-2.9.0.zip{.asc*,}

The output should say “Good signature”:

gpg: Signature made Thu 13 Nov 2014 17:42:18 NZDT using RSA key ID 5590A237
gpg: Good signature from "Matthieu Aubry <matt@piwik.org>"
gpg:                 aka "Matthieu Aubry <matthieu.aubry@gmail.com>"

Notice that there may be a warning in case you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

That’s it! In this article you have learnt how you can verify that the Matomo package you have downloaded on your computer was the same as the one Matomo team has officially created. We hope this helps you use Matomo with more security.

Source: this article was copied and adapted from the great Tor Browser project website page How to verify signatures for Tor packages

Enjoyed this post?
Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month
Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.

Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.