mirror of
https://github.com/monero-project/monero-docs.git
synced 2025-01-08 20:09:31 +00:00
Update signature verification guide to include binaryFate and 0.16.0.0 release
This commit is contained in:
Piotr Włodarek
parent
1cb9cdeabb
commit
0fa555256e
2 changed files with 19 additions and 19 deletions
|
|
@ -13,15 +13,15 @@ This is a one time action. Skip this step for subsequent Monero releases.
|
|||
|
||||
Monero core developers sign a list of hashes of released binaries.
|
||||
|
||||
Riccardo "fluffypony" Spagni is Monero core developer who signs the releases.
|
||||
Riccardo's public key is available on GitHub in the project source code.
|
||||
Import Riccardo's public key to your keyring:
|
||||
BinaryFate is Monero core developer who signs the releases.
|
||||
His public key is available on GitHub in the project source code.
|
||||
Import binaryFate's public key to your keyring:
|
||||
|
||||
`curl https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/fluffypony.asc | gpg --import`
|
||||
`curl https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc | gpg --import`
|
||||
|
||||
Trust Riccardo's public key (fingerprint must be exactly this):
|
||||
Trust binaryFate's public key (fingerprint must be exactly this):
|
||||
|
||||
gpg --edit-key 'BDA6BD7042B721C467A9759D7455C5E3C0CDCEB9'
|
||||
gpg --edit-key '81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92'
|
||||
trust
|
||||
4
|
||||
|
||||
|
|
@ -29,7 +29,7 @@ Trust Riccardo's public key (fingerprint must be exactly this):
|
|||
If key with this fingerprint was not found then remove imported key immediately (gpg --delete-keys ...).
|
||||
That would mean the key changed (likely was compromised).
|
||||
|
||||
## 2. Verify signature of hash list
|
||||
## 2. Verify signature of hash list (hashes.txt)
|
||||
|
||||
The list of binaries and their hashes is published on [getmonero.org](https://www.getmonero.org/downloads/hashes.txt) and a few other places like release notes on [r/monero](https://reddit.com/r/monero).
|
||||
Please note the publication channel does not matter as long as you properly verify the signature! u
|
||||
|
|
@ -40,7 +40,7 @@ To verify these are real hashes (not tampered with) run:
|
|||
|
||||
The expected output should contain the line:
|
||||
|
||||
`gpg: Good signature from "Riccardo Spagni <ric@spagni.net>" [full]`
|
||||
`gpg: Good signature from "binaryFate <binaryfate@getmonero.org>"`
|
||||
|
||||
## 3. Verify the hash
|
||||
|
||||
|
|
@ -52,7 +52,7 @@ The last step is to compare published hash with downloaded archive SHA-256 hash.
|
|||
|
||||
Replace the example file name with actual one:
|
||||
|
||||
file_name=monero-linux-x64-v0.14.0.0.tar.bz2
|
||||
file_name=monero-gui-linux-x64-v0.16.0.0.tar.bz2
|
||||
|
||||
file_hash=`sha256sum $file_name | cut -c 1-64`
|
||||
|
||||
|
|
@ -67,4 +67,4 @@ Replace the example file name with actual one:
|
|||
!!! danger
|
||||
If the grep output is empty then double check everything because apparently the hashes don't match.
|
||||
|
||||
If grep printed filename and a hash then everything is alright!
|
||||
If grep printed filename and hash then everything is alright!
|
||||
|
|
|
|||
Loading…
Reference in a new issue