Rumble Binary Verification

Rumble uses uses dynamically generated binaries for the Rumble Scanner and Rumble Agent downloads. Although Windows binaries have a valid Authenticode signature (signed by Critical Research Corporation), all binaries also contain a secondary, internal signature. Dynamic binaries make it easy to deploy agents that connect back to the right organization but present a challenge for independent integrity validation. To enable verification of the internal signature, we offer the Rumble Verifier. This verification tool can confirm whether a given binary contains a valid internal signature, in addition to any existing Authenticode signatures.

To get started, download the latest version of the verifier from the bottom of this page along with the PGP signature file for the selected architecture.

The Rumble Verifier is always signed by PGP Key ID AE96EC3E8E1F27C6.

To validate the signature of the Rumble Verifier for Windows 64-bit, you will need a GPG client and to run the following commands.

c:\> curl https://keybase.io/hdm/pgp_keys.asc | gpg --import
c:\> gpg --verify rumble-verifier-1.0.0-windows-amd64.exe.asc

Successful validation will show a valid signature by key ID CEC20C193A94F31CE670C668AE96EC3E8E1F27C6.

gpg: Signature made Wed 05 Jun 2019 06:39:03 PM EDT
gpg:                using RSA key CEC20C193A94F31CE670C668AE96EC3E8E1F27C6

The warning below is expected and does not indicate a problem with the signature:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Once the Rumble Verifier itself has been validated, it can be used to check the signature of any Rumble binary:

c:\> rumble-verifier-1.0.0-windows-amd64.exe rumble-agent-0.5.30-windows-amd64.exe
rumble-agent-0.5.30-windows-amd64.exe: VALID SIGNATURE

A failed validation will show the error Invalid or missing signature and the verifier will set exit status to 1.