From ac2d7341c3b192065ddb47b9dab131f9b9362cb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Piotr=20W=C5=82odarek?= Date: Sun, 28 Oct 2018 19:05:01 +0100 Subject: [PATCH] Add "Download" and "Verify" chapters --- docs/interacting/download-monero-binaries.md | 37 +++++++++++ docs/interacting/overview.md | 2 - docs/interacting/verify-monero-binaries.md | 64 ++++++++++++++++++++ mkdocs.yml | 2 + 4 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 docs/interacting/download-monero-binaries.md create mode 100644 docs/interacting/verify-monero-binaries.md diff --git a/docs/interacting/download-monero-binaries.md b/docs/interacting/download-monero-binaries.md new file mode 100644 index 0000000..602e08a --- /dev/null +++ b/docs/interacting/download-monero-binaries.md @@ -0,0 +1,37 @@ +--- +title: Download Monero | Monero Documentation +--- + +# Download Monero + +A single archive contains all you need to start using Monero (the full node and the wallet). + +We recommend downloading Monero binaries directly from GitHub: + +* GUI + CLI: [https://github.com/monero-project/monero-gui/releases](https://github.com/monero-project/monero-gui/releases) +* CLI only: [https://github.com/monero-project/monero/releases](https://github.com/monero-project/monero/releases) + +GUI is a graphical desktop wallet. + +CLI is a commandline desktop wallet. + +If you need more guidance check [download Monero](https://getmonero.org/downloads) section on Monero website. + +It is critical to [verify the signature](/interacting/verify-monero-binaries) of downloaded archive. + +## Which version to download? + +Download the latest version matching your operating system and processor architecture. + +The CLI version is released earlier and is suitable for server deployments. + +The GUI version contains both CLI and GUI. It is preferable for end-users. + +All versions contain a full node and a wallet. + +## Why prefer GitHub over getmonero.org? + +Binaries appear earlier on GitHub. + +On top of that, if you fail to properly verify the signature, GitHub is safer, simply because you don't need to trust a separate website to not be compromised. +Obviously, you should still carefully verify the signature for each release. Signature verification is always the primary line of defense. diff --git a/docs/interacting/overview.md b/docs/interacting/overview.md index fa15a38..84b7f98 100644 --- a/docs/interacting/overview.md +++ b/docs/interacting/overview.md @@ -10,8 +10,6 @@ On top of that, Monero nodes interact with each other in a peer-to-peer network. ## Installation directory overview -[Download Monero](https://getmonero.org/downloads). - Once unpacked you will see several executable files. You will also find a nice PDF guide for the GUI wallet. Monero project nicely decouples network node logic from wallet logic. diff --git a/docs/interacting/verify-monero-binaries.md b/docs/interacting/verify-monero-binaries.md new file mode 100644 index 0000000..f9ca1df --- /dev/null +++ b/docs/interacting/verify-monero-binaries.md @@ -0,0 +1,64 @@ +--- +title: Verify Monero Binaries Signature | Monero Documentation +--- + +# Verify Monero Binaries + +Verification must be carried on **before extracting the archive and before using Monero**. + +Instructions are for Linux but should also work on macOS with cosmetic modifications. + +## 0. Import core dev PGP key + +This is a one time action. Skip this step for subsequent Monero releases. + +Monero core developers sign a list of hashes of released binaries. + +Riccardo "fluffypony" Spagni is Monero core developer who signs the releases. +Riccardo's public key is available on GitHub in the project source code. +Import Riccardo's public key to your keyring: + +`curl https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/fluffypony.asc | gpg --import` + +Trust Riccardo's public key: + + gpg --edit-key '7455C5E3C0CDCEB9' + trust + 4 + +## 1. Verify signature of hash list + +The list of binaries and their hashes is published on [getmonero.org](https://www.getmonero.org/downloads/hashes.txt) and a few other places like release notes on [r/monero](https://reddit.com/r/monero). +Please note the publication channel does not matter as long as you properly verify the signature! + +To verify these are real hashes (not tampered with) run: + +`curl https://www.getmonero.org/downloads/hashes.txt | gpg --verify` + +The expected output is: + + ... + gpg: Good signature from "Riccardo Spagni " [full] + +## 2. Verify the hash + +By this step we checked that published hashes were not tampered with. + +The last step is to compare published hash with hash of downloaded archive. + +Replace file name with yours: + + file_name=monero-linux-x64-v0.13.0.4.tar.bz2 + + file_hash=`sha256sum $filename | cut -c 1-64` + + curl https://www.getmonero.org/downloads/hashes.txt > /tmp/reference-hashes.txt + + # verify the signature (previous step repeated here) + gpg --verify /tmp/reference-hashes.txt + + grep $file_hash /tmp/reference-hashes.txt + +If grep displayed a line containing your binary name and a hash then all is fine! + +If the output is empty then double check everything because apparently the hashes don't match. diff --git a/mkdocs.yml b/mkdocs.yml index 122754c..071b72d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -7,6 +7,8 @@ site_url: 'https://monerodocs.org/' nav: - Home: 'index.md' - Interacting: + - Download: 'interacting/download-monero-binaries.md' + - Verify: 'interacting/verify-monero-binaries.md' - Overview: 'interacting/overview.md' - monerod: 'interacting/monerod-reference.md' - Technical specs: 'technical-specs.md'