Verify Slack for Linux (beta) package signatures

Our Slack for Linux (beta) app’s packages are signed with GPG keys to show that they're coming from Slack. Use the signatures to verify the authenticity of our packages.

Note: To download Slack for Linux (beta), visit our Downloads page.


Verify package signatures

To complete these steps, you'll need superuser privileges. 

RPM-based distributions

  1. Download Slack's public key:  wget https://slack.com/gpg/slack_pubkey_2019.gpg
  2. Import Slack’s public key into RPM: 
    sudo rpm --import slack_pubkey_2019.gpg
  3. Check the package signature:
    rpm --checksig slack-2.8.0-0.1.fc21.x86_64.rpm
    The output should say: 
    slack-2.8.0-0.1.fc21.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Debian-based distributions

Here's how to verify package signatures using debsig-verify 0.14, which is in Ubuntu 18.04.
  1. The Slack for Linux (beta) app is signed using debsigs. You will need to install the program debsig-verify to verify the packages: sudo apt install debsig-verify
  2. Next, download Slack's public key:
    wget https://slack.com/gpg/slack_pubkey_2019.gpg
  3. Create directories to store debsigs policies and keyrings for Slack’s public key: 
    sudo mkdir -p /usr/share/debsig/keyrings/F18462078E6C9578
    sudo mkdir -p /etc/debsig/policies/F18462078E6C9578
  4. Import Slack’s public key into the corresponding debsigs keyring:
    sudo gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/F18462078E6C9578/debsig.gpg --import slack_pubkey_2019.gpg
  5. Create a new file in your editor of choice:
    /etc/debsig/policies/F18462078E6C9578/slack.pol
    Then, paste the following:
    <?xml version="1.0"?>
    <!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd">
    <Policy xmlns="http://www.debian.org/debsig/1.0/">
    <Origin Name="Slack" id="F18462078E6C9578" Description="Slack"/>
    <Selection>
    <Required Type="origin" File="debsig.gpg" id="F18462078E6C9578"/>
    </Selection>
    <Verification>
    <Required Type="origin" File="debsig.gpg" id="F18462078E6C9578"/>
    </Verification>
    </Policy>
  6. Save the file, and exit the editor.
  7. Check the package signature:
    debsig-verify slack-desktop-2.8.0-amd64.deb
    The output should say: 
    Debsig: Verified package from ‘Slack’ (Slack)