Verifying SpyderVPN's Warrant Canary GPG Signature On Linux

What is a Warrant Canary?

A warrant canary is a statement that an organization publishes to inform its users that it has not received any secret subpoenas, warrants, or orders (typically from governments) that could compromise user privacy. Since legal orders sometimes come with gag clauses preventing disclosure, a regular, cryptographically signed statement is used. If the canary suddenly disappears or is not updated, users can infer that such an order may have been received.

SpyderVPN uses a warrant canary to maintain transparency. Each update is signed with our dedicated GPG key, allowing anyone to verify that the message is authentic and unaltered.

How to Verify the GPG Signature

Follow these steps to verify the GPG signature of the warrant canary:

1. Install GPG (if not already installed)

Most Linux distributions come with GPG pre-installed. If it’s missing, install it using your package manager. For example, on Ubuntu:

sudo apt update && sudo apt install gnupg

2. Download the Warrant Canary and Public Key

SpyderVPN publishes the warrant canary at:

https://spydervpn.com/resources/warrant_canary.txt.asc

https://spydervpn.com/resources/spydervpn_pubkey.txt

Download them using curl or wget:

$ curl -O https://spydervpn.com/resources/warrant_canary.txt.asc`
$ curl -O https://spydervpn.com/resources/spydervpn_pubkey.txt

3. Import the Public Key

Import the SpyderVPN public key into your GPG keyring:

$ gpg --import spydervpn_pubkey.txt

You should see a confirmation message that the key has been imported.

4. Verify the Signature

Now, verify the signed warrant canary file:

$ gpg --verify warrant_canary.txt.asc

If the file is signed correctly, you will see an output similar to:

gpg: Signature made [date] using RSA key ID [KEY_ID]
gpg: Good signature from "SpyderVPN <[email protected]>"

5. Interpreting the Output

• Good signature:
  Indicates that the warrant canary file was indeed signed with the correct SpyderVPN GPG key and has not been altered.

• Warning messages (if any):
  Sometimes you might see a warning about the key not being trusted. This is normal if you haven't set the key's trust level. You can verify the signature even if the key is not fully trusted in your GPG keyring.

• Bad signature or errors:
  If you encounter errors or a "BAD signature" message, it means the file may have been tampered with or is not signed with the expected key.

Conclusion

By following these steps, you can independently verify that SpyderVPN's warrant canary is authentic and up-to-date. This process not only reinforces our commitment to transparency but also gives you peace of mind regarding the integrity of the information we publish.

Happy verifying!