Update signature verification guide to include binaryFate and 0.16.0.0 release

This commit is contained in:
Piotr Włodarek 2020-06-13 01:01:29 +02:00
parent 1cb9cdeabb
commit 0fa555256e
2 changed files with 19 additions and 19 deletions

View file

@ -13,15 +13,15 @@ This is a one time action. Skip this step for subsequent Monero releases.
Monero core developers sign a list of hashes of released binaries. Monero core developers sign a list of hashes of released binaries.
Riccardo "fluffypony" Spagni is Monero core developer who signs the releases. BinaryFate is Monero core developer who signs the releases.
Riccardo's public key is available on GitHub in the project source code. His public key is available on GitHub in the project source code.
Import Riccardo's public key to your keyring: Import binaryFate's public key to your keyring:
`curl https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/fluffypony.asc | gpg --import` `curl https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc | gpg --import`
Trust Riccardo's public key (fingerprint must be exactly this): Trust binaryFate's public key (fingerprint must be exactly this):
gpg --edit-key 'BDA6BD7042B721C467A9759D7455C5E3C0CDCEB9' gpg --edit-key '81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92'
trust trust
4 4
@ -29,7 +29,7 @@ Trust Riccardo's public key (fingerprint must be exactly this):
If key with this fingerprint was not found then remove imported key immediately (gpg --delete-keys ...). If key with this fingerprint was not found then remove imported key immediately (gpg --delete-keys ...).
That would mean the key changed (likely was compromised). That would mean the key changed (likely was compromised).
## 2. Verify signature of hash list ## 2. Verify signature of hash list (hashes.txt)
The list of binaries and their hashes is published on [getmonero.org](https://www.getmonero.org/downloads/hashes.txt) and a few other places like release notes on [r/monero](https://reddit.com/r/monero). The list of binaries and their hashes is published on [getmonero.org](https://www.getmonero.org/downloads/hashes.txt) and a few other places like release notes on [r/monero](https://reddit.com/r/monero).
Please note the publication channel does not matter as long as you properly verify the signature! u Please note the publication channel does not matter as long as you properly verify the signature! u
@ -40,7 +40,7 @@ To verify these are real hashes (not tampered with) run:
The expected output should contain the line: The expected output should contain the line:
`gpg: Good signature from "Riccardo Spagni <ric@spagni.net>" [full]` `gpg: Good signature from "binaryFate <binaryfate@getmonero.org>"`
## 3. Verify the hash ## 3. Verify the hash
@ -52,7 +52,7 @@ The last step is to compare published hash with downloaded archive SHA-256 hash.
Replace the example file name with actual one: Replace the example file name with actual one:
file_name=monero-linux-x64-v0.14.0.0.tar.bz2 file_name=monero-gui-linux-x64-v0.16.0.0.tar.bz2
file_hash=`sha256sum $file_name | cut -c 1-64` file_hash=`sha256sum $file_name | cut -c 1-64`
@ -67,4 +67,4 @@ Replace the example file name with actual one:
!!! danger !!! danger
If the grep output is empty then double check everything because apparently the hashes don't match. If the grep output is empty then double check everything because apparently the hashes don't match.
If grep printed filename and a hash then everything is alright! If grep printed filename and hash then everything is alright!