2018-10-28 18:05:01 +00:00
---
2021-01-14 15:19:37 +00:00
title: Verifying Monero Binaries Signature
2018-10-28 18:05:01 +00:00
---
# Verify Monero Binaries
Verification must be carried on **before extracting the archive and before using Monero** .
2020-06-12 23:01:29 +00:00
Instructions were tested on Linux. They should also work on macOS with slight modifications.
2018-10-28 18:05:01 +00:00
2021-01-14 15:19:37 +00:00
## 1. Import lead maintainer PGP key
2018-10-28 18:05:01 +00:00
This is a one time action. Skip this step for subsequent Monero releases.
Monero core developers sign a list of hashes of released binaries.
2020-06-12 23:01:29 +00:00
BinaryFate is Monero core developer who signs the releases.
His public key is available on GitHub in the project source code.
Import binaryFate's public key to your keyring:
2018-10-28 18:05:01 +00:00
2020-06-12 23:01:29 +00:00
`curl https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc | gpg --import`
2018-10-28 18:05:01 +00:00
2020-06-12 23:01:29 +00:00
Trust binaryFate's public key (fingerprint must be exactly this):
2018-10-28 18:05:01 +00:00
2020-06-12 23:01:29 +00:00
gpg --edit-key '81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92'
2018-10-28 18:05:01 +00:00
trust
2020-06-12 23:01:29 +00:00
4
2018-10-28 18:05:01 +00:00
2018-10-28 21:40:38 +00:00
!!! danger
If key with this fingerprint was not found then remove imported key immediately (gpg --delete-keys ...).
That would mean the key changed (likely was compromised).
2020-06-12 23:01:29 +00:00
## 2. Verify signature of hash list (hashes.txt)
2018-10-28 18:05:01 +00:00
The list of binaries and their hashes is published on [getmonero.org ](https://www.getmonero.org/downloads/hashes.txt ) and a few other places like release notes on [r/monero ](https://reddit.com/r/monero ).
2020-06-12 23:01:29 +00:00
Please note the publication channel does not matter as long as you properly verify the signature! u
2018-10-28 18:05:01 +00:00
2020-06-12 23:01:29 +00:00
To verify these are real hashes (not tampered with) run:
2018-10-28 18:05:01 +00:00
2020-06-12 23:01:29 +00:00
`curl https://www.getmonero.org/downloads/hashes.txt | gpg --verify`
2018-10-28 18:05:01 +00:00
2019-02-22 12:23:14 +00:00
The expected output should contain the line:
2018-10-28 18:05:01 +00:00
2020-06-12 23:01:29 +00:00
`gpg: Good signature from "binaryFate <binaryfate@getmonero.org>"`
2018-10-28 18:05:01 +00:00
2019-02-22 12:23:14 +00:00
## 3. Verify the hash
2018-10-28 18:05:01 +00:00
By this step we checked that published hashes were not tampered with.
2018-10-28 21:40:38 +00:00
The last step is to compare published hash with downloaded archive SHA-256 hash.
2018-10-28 18:05:01 +00:00
2024-09-18 13:08:11 +00:00
[Download Monero ](../interacting/download-monero-binaries.md ) if you didn't already (but do not unpack).
2018-10-31 20:37:20 +00:00
Replace the example file name with actual one:
2018-10-28 18:05:01 +00:00
2021-01-11 15:12:26 +00:00
file_name=monero-gui-linux-x64-v0.17.1.9.tar.bz2
2018-10-28 18:05:01 +00:00
2018-10-28 21:40:38 +00:00
file_hash=`sha256sum $file_name | cut -c 1-64`
2018-10-28 18:05:01 +00:00
curl https://www.getmonero.org/downloads/hashes.txt > /tmp/reference-hashes.txt
2018-10-31 20:37:20 +00:00
# verify the signature (previous step is repeated here for completeness)
2018-10-28 18:05:01 +00:00
gpg --verify /tmp/reference-hashes.txt
2018-10-31 20:37:20 +00:00
# grep must print the hash (output cannot be empty)
2020-06-12 23:01:29 +00:00
grep $file_hash /tmp/reference-hashes.txt
2018-10-28 18:05:01 +00:00
2018-10-28 21:40:38 +00:00
!!! danger
If the grep output is empty then double check everything because apparently the hashes don't match.
2018-10-28 18:05:01 +00:00
2020-06-12 23:01:29 +00:00
If grep printed filename and hash then everything is alright!
