Rumble uses uses dynamically generated binaries for the Rumble Scanner and Rumble Agent downloads. Although Windows binaries have a valid Authenticode signature (signed by Critical Research Corporation),
all binaries also contain a secondary, internal signature. Dynamic binaries make it easy to deploy agents that connect back to the right organization but present a challenge for independent integrity
validation. To enable verification of the internal signature, we offer the
Rumble Verifier, available from the Tools
section of the Rumble Console. This verification tool can confirm whether a given binary contains a valid internal signature, in addition to any existing Authenticode signatures.
To get started, download the latest version of the verifier from the Tools page, along with the PGP signature file for the selected architecture.
The Rumble Verifier is always signed by PGP Key ID AE96EC3E8E1F27C6.
To validate the signature of version 1.0.0 of the Rumble Verifier for Windows 64-bit, you will need a GPG client and to run the following commands.
c:\> curl https://keybase.io/hdm/pgp_keys.asc | gpg --import c:\> gpg --verify rumble-verifier-1.0.0-windows-amd64.exe.asc
Successful validation is indicated by a message indicating a valid signature was made by key ID
Once the Rumble Verifier itself has been validated, it can be used to check the signature of any Rumble binary:
c:\> rumble-verifier-1.0.0-windows-amd64.exe rumble-agent-0.5.30-windows-amd64.exe rumble-agent-0.5.30-windows-amd64.exe: VALID SIGNATURE
A failed validation will show the error
Invalid or missing signature and the verifier will set exit status to 1.