Software Signing

Yubico aims to cryptographically sign all software that it distributes. We use three different techniques to achieve this.

OpenPGP Software Signing

Source code releases are usually signed by an OpenPGP key of one of Yubico’s developers. Some ZIP files containing Windows executables are also signed using OpenPGP.

Following are the keys for Yubico developers who are currently releasing code.

Following are the keys for developers who have released code in the past.

Verifying signatures with GnuPG

The list above lists primary key fingerprints, but GnuPG may print a subkey fingerprint if you attempt to verify a signature made with an unknown key. You can use gpg --recv-keys to download the necessary key.

Caution
Regardless of how you download keys, you must always verify that signatures were made by one of the keys listed above. See below for an example of how to to this.

Example of downloading key by subkey ID:

gpg --verify yubioath-desktop-5.0.5.tar.gz.sig
gpg: assuming signed data in 'yubioath-desktop-5.0.5.tar.gz'
gpg: Signature made tor 15 apr 2021 16:23:47 CEST
gpg:                using RSA key D6919FBF48C484F3CB7B71CD870B88256690D8BC
gpg: Can't check signature: No public key

gpg --recv-keys D6919FBF48C484F3CB7B71CD870B88256690D8BC
gpg: key 5CBA11E6ADC7BCD1: public key "Dennis Fokin <dennis.fokin@yubico.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Example of verifying signature:

gpg --verify yubioath-desktop-5.0.5.tar.gz.sig
gpg: assuming signed data in 'yubioath-desktop-5.0.5.tar.gz'
gpg: Signature made tor 15 apr 2021 16:23:47 CEST
gpg:                using RSA key D6919FBF48C484F3CB7B71CD870B88256690D8BC
gpg: Good signature from "Dennis Fokin <dennis.fokin@yubico.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9E88 5C03 02F9 BB91 6752  9C2D 5CBA 11E6 ADC7 BCD1
     Subkey fingerprint: D691 9FBF 48C4 84F3 CB7B  71CD 870B 8825 6690 D8BC

Make sure that gpg reports Good signature AND that the Primary key fingerprint is listed above. You can safely ignore the warning key is not certified with a trusted signature if you have manually verified the primary key fingerprint.

Windows Software Signing

Our Windows executables are signed with one of two code signing certificates, issued by DigiCert:

SHA256 Fingerprint

D3:E2:EF:AA:70:13:B1:79:2D:E4:84:90:26:50:FC:A1:1D:69:60:DE:77:FD:8C:8E:BB:37:3F:A8:68:8B:33:7F

SHA256 Fingerprint

C9:E7:75:63:0C:3E:F9:DB:02:7C:78:80:2C:0D:BD:E0:93:F5:38:CE:64:7A:C0:EF:25:8C:F4:86:94:F5:CD:DB

Earlier Windows software may be signed with one of the following certificates:

SHA256 fingerprint

C3:C1:BE:40:B7:F2:C7:B2:51:DB:67:35:88:40:76:9F:37:35:28:D2:5E:32:AD:0D:80:6F:01:C6:ED:96:E8:2D

SHA256 fingerprint

43:9D:B8:FB:32:F3:BA:47:15:5C:BA:E5:8A:02:A5:02:B3:ED:15:7A:34:23:B8:62:74:6E:20:AE:17:7F:5C:ED

SHA256 fingerprint

42:77:C7:17:01:5F:DB:6F:EA:CC:5D:4B:69:BD:72:D7:64:18:3E:6A:81:D6:64:87:BC:70:E9:B6:C5:9C:01:FE

SHA256 fingerprint

F0:45:D8:A2:54:37:97:B1:29:6F:32:A1:4F:6C:BC:C6:13:5F:79:C5:18:EF:25:6C:B0:7F:C7:FD:01:70:5C:EB

SHA256 fingerprint

1F:DA:33:2D:C3:DB:B7:DA:13:1B:BE:78:6E:2E:F9:2C:40:86:59:08:E5:C8:AA:1C:FC:F7:C6:5F:35:37:E3:7E

SHA256 fingerprint

DB:75:AF:B8:AF:DF:5C:DC:F9:70:1E:0E:FA:4C:44:97:ED:BE:0D:95:DB:8D:12:82:77:23:C6:6B:69:FE:3E:8B

Mac Software Signing

Our Mac executables are signed with a Yubico code signing certificate, issued by Apple.

SHA256 fingerprint

3C:3F:C5:78:DE:63:8A:96:A3:73:61:BD:3F:9C:39:55:DA:69:08:CD:C9:AF:57:8D:41:02:74:95:98:B8:98:83

Our Mac installers are signed with a Yubico code signing certificate, issued by Apple.

SHA256 fingerprint

CE:0A:F3:41:0B:9F:60:5E:D0:D4:7E:1E:D4:16:3C:0A:52:55:04:24:24:16:7A:0A:C8:3C:94:62:24:90:B9:CF

Mac software released before 2017-09-25 is signed with:

SHA256 fingerprint

F4:EC:6D:AF:9A:E6:AD:49:F6:D3:99:9A:D8:92:8E:A1:D3:A9:45:94:15:90:BC:33:BA:9D:8E:35:59:02:3C:BD