mirror of
https://github.com/monero-project/monero-docs.git
synced 2024-12-22 19:49:22 +00:00
Update signature verification guide to include binaryFate and 0.16.0.0 release
This commit is contained in:
parent
1cb9cdeabb
commit
0fa555256e
2 changed files with 19 additions and 19 deletions
|
@ -24,13 +24,13 @@ Download the latest version matching your operating system and processor archite
|
||||||
|
|
||||||
The CLI version is released earlier and is suitable for server deployments.
|
The CLI version is released earlier and is suitable for server deployments.
|
||||||
|
|
||||||
The GUI version contains both CLI and GUI. It is preferable for end-users.
|
The GUI version contains both CLI and GUI. It is preferable for end-users.
|
||||||
|
|
||||||
All versions contain a full node and a wallet.
|
All versions contain a full node and a wallet.
|
||||||
|
|
||||||
## Why prefer GitHub over getmonero.org?
|
## Why prefer GitHub over getmonero.org?
|
||||||
|
|
||||||
Binaries appear earlier on GitHub.
|
Binaries appear earlier on GitHub.
|
||||||
|
|
||||||
On top of that, if you fail to properly verify the signature, GitHub is safer, simply because you don't need to trust a separate website to not be compromised.
|
On top of that, if you fail to properly verify the signature, GitHub is safer, simply because you don't need to trust a separate website to not be compromised.
|
||||||
Obviously, you should still carefully verify the signature for each release. Signature verification is always the primary line of defense.
|
Obviously, you should still carefully verify the signature for each release. Signature verification is always the primary line of defense.
|
||||||
|
|
|
@ -5,7 +5,7 @@ title: Verifying Monero Binaries Signature | Monero Documentation
|
||||||
|
|
||||||
Verification must be carried on **before extracting the archive and before using Monero**.
|
Verification must be carried on **before extracting the archive and before using Monero**.
|
||||||
|
|
||||||
Instructions were tested on Linux. They should also work on macOS with slight modifications.
|
Instructions were tested on Linux. They should also work on macOS with slight modifications.
|
||||||
|
|
||||||
## 1. Import core dev PGP key
|
## 1. Import core dev PGP key
|
||||||
|
|
||||||
|
@ -13,34 +13,34 @@ This is a one time action. Skip this step for subsequent Monero releases.
|
||||||
|
|
||||||
Monero core developers sign a list of hashes of released binaries.
|
Monero core developers sign a list of hashes of released binaries.
|
||||||
|
|
||||||
Riccardo "fluffypony" Spagni is Monero core developer who signs the releases.
|
BinaryFate is Monero core developer who signs the releases.
|
||||||
Riccardo's public key is available on GitHub in the project source code.
|
His public key is available on GitHub in the project source code.
|
||||||
Import Riccardo's public key to your keyring:
|
Import binaryFate's public key to your keyring:
|
||||||
|
|
||||||
`curl https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/fluffypony.asc | gpg --import`
|
`curl https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc | gpg --import`
|
||||||
|
|
||||||
Trust Riccardo's public key (fingerprint must be exactly this):
|
Trust binaryFate's public key (fingerprint must be exactly this):
|
||||||
|
|
||||||
gpg --edit-key 'BDA6BD7042B721C467A9759D7455C5E3C0CDCEB9'
|
gpg --edit-key '81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92'
|
||||||
trust
|
trust
|
||||||
4
|
4
|
||||||
|
|
||||||
!!! danger
|
!!! danger
|
||||||
If key with this fingerprint was not found then remove imported key immediately (gpg --delete-keys ...).
|
If key with this fingerprint was not found then remove imported key immediately (gpg --delete-keys ...).
|
||||||
That would mean the key changed (likely was compromised).
|
That would mean the key changed (likely was compromised).
|
||||||
|
|
||||||
## 2. Verify signature of hash list
|
## 2. Verify signature of hash list (hashes.txt)
|
||||||
|
|
||||||
The list of binaries and their hashes is published on [getmonero.org](https://www.getmonero.org/downloads/hashes.txt) and a few other places like release notes on [r/monero](https://reddit.com/r/monero).
|
The list of binaries and their hashes is published on [getmonero.org](https://www.getmonero.org/downloads/hashes.txt) and a few other places like release notes on [r/monero](https://reddit.com/r/monero).
|
||||||
Please note the publication channel does not matter as long as you properly verify the signature! u
|
Please note the publication channel does not matter as long as you properly verify the signature! u
|
||||||
|
|
||||||
To verify these are real hashes (not tampered with) run:
|
To verify these are real hashes (not tampered with) run:
|
||||||
|
|
||||||
`curl https://www.getmonero.org/downloads/hashes.txt | gpg --verify`
|
`curl https://www.getmonero.org/downloads/hashes.txt | gpg --verify`
|
||||||
|
|
||||||
The expected output should contain the line:
|
The expected output should contain the line:
|
||||||
|
|
||||||
`gpg: Good signature from "Riccardo Spagni <ric@spagni.net>" [full]`
|
`gpg: Good signature from "binaryFate <binaryfate@getmonero.org>"`
|
||||||
|
|
||||||
## 3. Verify the hash
|
## 3. Verify the hash
|
||||||
|
|
||||||
|
@ -52,7 +52,7 @@ The last step is to compare published hash with downloaded archive SHA-256 hash.
|
||||||
|
|
||||||
Replace the example file name with actual one:
|
Replace the example file name with actual one:
|
||||||
|
|
||||||
file_name=monero-linux-x64-v0.14.0.0.tar.bz2
|
file_name=monero-gui-linux-x64-v0.16.0.0.tar.bz2
|
||||||
|
|
||||||
file_hash=`sha256sum $file_name | cut -c 1-64`
|
file_hash=`sha256sum $file_name | cut -c 1-64`
|
||||||
|
|
||||||
|
@ -62,9 +62,9 @@ Replace the example file name with actual one:
|
||||||
gpg --verify /tmp/reference-hashes.txt
|
gpg --verify /tmp/reference-hashes.txt
|
||||||
|
|
||||||
# grep must print the hash (output cannot be empty)
|
# grep must print the hash (output cannot be empty)
|
||||||
grep $file_hash /tmp/reference-hashes.txt
|
grep $file_hash /tmp/reference-hashes.txt
|
||||||
|
|
||||||
!!! danger
|
!!! danger
|
||||||
If the grep output is empty then double check everything because apparently the hashes don't match.
|
If the grep output is empty then double check everything because apparently the hashes don't match.
|
||||||
|
|
||||||
If grep printed filename and a hash then everything is alright!
|
If grep printed filename and hash then everything is alright!
|
||||||
|
|
Loading…
Reference in a new issue