Rumble uses uses dynamically generated binaries for the Rumble Scanner and Rumble Agent downloads. Although Windows
binaries have a valid Authenticode signature (signed by Critical Research Corporation),
all binaries also contain a secondary, internal signature. Dynamic binaries make it easy to deploy agents that connect
back to the right organization but present a challenge for independent integrity
validation. To enable verification of the internal signature, we offer the
Rumble Verifier. This verification tool can
confirm whether a given binary contains a valid internal signature, in addition to any existing Authenticode signatures.
To get started, download the latest version of the verifier from the bottom of this page along with the PGP signature file for the selected architecture.
The Rumble Verifier is always signed by PGP Key ID AE96EC3E8E1F27C6.
To validate the signature of the Rumble Verifier for Windows 64-bit, you will need a GPG client and to run the following commands.
c:\> curl https://keybase.io/hdm/pgp_keys.asc | gpg --import c:\> gpg --verify rumble-verifier-1.0.0-windows-amd64.exe.asc
Successful validation will show a valid signature by key ID
gpg: Signature made Wed 05 Jun 2019 06:39:03 PM EDT gpg: using RSA key CEC20C193A94F31CE670C668AE96EC3E8E1F27C6
The warning below is expected and does not indicate a problem with the signature:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
Once the Rumble Verifier itself has been validated, it can be used to check the signature of any Rumble binary:
c:\> rumble-verifier-1.0.0-windows-amd64.exe rumble-agent-0.5.30-windows-amd64.exe rumble-agent-0.5.30-windows-amd64.exe: VALID SIGNATURE
A failed validation will show the error
Invalid or missing signature and the verifier will set exit status to 1.