Rumble Binary Verification

Rumble uses uses dynamically generated binaries for the Rumble Scanner and Rumble Agent downloads. Although Windows binaries have a valid Authenticode signature (signed by Critical Research Corporation), all binaries also contain a secondary, internal signature. Dynamic binaries make it easy to deploy agents that connect back to the right organization but present a challenge for independent integrity validation. To enable verification of the internal signature, we offer the Rumble Verifier, available from the Tools section of the Rumble Console. This verification tool can confirm whether a given binary contains a valid internal signature, in addition to any existing Authenticode signatures.

To get started, download the latest version of the verifier from the Tools page, along with the PGP signature file for the selected architecture.

The Rumble Verifier is always signed by PGP Key ID AE96EC3E8E1F27C6.

To validate the signature of version 1.0.0 of the Rumble Verifier for Windows 64-bit, you will need a GPG client and to run the following commands.

c:\> curl https://keybase.io/hdm/pgp_keys.asc | gpg --import
c:\> gpg --verify rumble-verifier-1.0.0-windows-amd64.exe.asc

Successful validation is indicated by a message indicating a valid signature was made by key ID CEC20C193A94F31CE670C668AE96EC3E8E1F27C6.

Once the Rumble Verifier itself has been validated, it can be used to check the signature of any Rumble binary:

c:\> rumble-verifier-1.0.0-windows-amd64.exe rumble-agent-0.5.30-windows-amd64.exe
rumble-agent-0.5.30-windows-amd64.exe: VALID SIGNATURE

A failed validation will show the error Invalid or missing signature and the verifier will set exit status to 1.