mirror of
https://github.com/monero-project/monero-site.git
synced 2025-03-04 15:54:27 +00:00
This new approach doesn't require version numbers and make easier for contributors to understand the status of the document. There are only 3 states: - Outdated: The page is outdated and might not work as expected - Untranslated: The page needs to be translated - Translation outdated: The page is translated, but the original (English) document has been updated To mark a guide as outdated, we change the boolean of the front matter entry 'outdated' in /resources/user-guides/GUIDE. If 'False', the guide is updated. If 'True' all versions of the guide (English included) will show a warning at the bottom of the page. The other 2 states are related to the status of the translated pages and we control them from the language-specific user guides: /_i18n/LANG/resources/user-guides/GUIDE. At the top of the page a snippet will include 2 parameters: - translated: "yes" if the page is translated, "no" if it's not. - translationOutdated: "yes" if the translation is outdated, "no" if it's not This new system aims to be simpler than the precedent, avoiding to compare versioning numbers and using a higher level system instead (yes, no, True, False). I also removed the middle way status 'only minor changes', because if there are only minor changes that don't affect the usability of the guide, we don't need to point it out. The old system was complex and people didn't use it. These changes will hopefully make things easier for translators and other contributors.
255 lines
11 KiB
Markdown
255 lines
11 KiB
Markdown
{% include disclaimer.html translated="no" translationOutdated="no" %}
|
|
|
|
# Verify Binaries: Windows (Beginner)
|
|
|
|
Verification of the Monero binary files should be done prior to extracting, installing, or using the Monero software. This is the only way to ensure that you are using the official Monero binary. If you receive a fake binary (eg. phishing, MITM, etc.), following this guide will protect you from being tricked into using it.
|
|
|
|
To protect the integrity of the binaries the Monero team provides a cryptographically signed list of all the [SHA256](https://en.wikipedia.org/wiki/SHA-2) hashes. If your downloaded binary has been tampered with it will be produce a [different hash](https://en.wikipedia.org/wiki/File_verification) than the one in the file.
|
|
|
|
This is a beginners guide for the Windows operating system and will make use of GUIs almost exclusively. It will walk you through the process of installing the required software, importing the signing key, downloading the necessary files, and finally verifying that your binary is authentic.
|
|
|
|
## Table of Contents
|
|
|
|
### [1. Gpg4win Installer](#1-using-gpg4win-installer)
|
|
- [1.1. Getting Gpg4win Installer](#11-getting-gpg4win-installer)
|
|
+ [1.1.1. Download Gpg4win](#111-download-gpg4win)
|
|
+ [1.1.2. Launch Gpg4win](#112-launch-gpg4win)
|
|
- [1.2. Use Gpg4win Installer](#12-use-gpg4win-installer)
|
|
### [2. Import Signing Key](#2-monero-signing-key)
|
|
- [2.1. Download Signing Key](#21-download-signing-key)
|
|
- [2.2. Initialize Kleopatra](#22-initialize-kleopatra)
|
|
+ [2.2.1. Import Signing Key](#221-import-signing-key)
|
|
+ [2.2.2. Create Key Pair](#222-create-key-pair)
|
|
- [2.3. Verify Signing Key](#23-verify-signing-key)
|
|
### [3. Verify Hash File](#3-hash-file-verification)
|
|
- [3.1. Download Hash File](#31-download-hash-file)
|
|
- [3.2. Verify Hash File](#32-verify-hash-file)
|
|
### [4. Verify Binary File](#4-binary-file-verification)
|
|
- [4.1. Download Binary](#41-download-binary)
|
|
- [4.2. Verify Binary](#42-verify-binary)
|
|
|
|
## 1. Using Gpg4win Installer
|
|
|
|
This section will cover installing the cryptography software. Windows does not come with the tools required to verify your binary. To install these tools you can use the Gpg4win installer.
|
|
|
|
### 1.1. Getting Gpg4win Installer
|
|
|
|
#### 1.1.1. Download Gpg4win
|
|
|
|
In a web browser, go to [gpg4win.org](https://gpg4win.org) and download the installer by clicking the green button.
|
|
|
|

|
|
|
|
You will be taken to a donation page. If you do not wish to donate select `$0`, then you will be able to click `Download`.
|
|
|
|

|
|
|
|
Click `Save File`.
|
|
|
|

|
|
|
|
Choose a download location, click `Save`.
|
|
|
|

|
|
|
|
#### 1.1.2. Launch Gpg4win
|
|
|
|
When the download is finished, open the containing folder.
|
|
|
|

|
|
|
|
Double click the downloaded gpg4win executable to launch.
|
|
|
|

|
|
|
|
### 1.2. Use Gpg4win Installer
|
|
|
|
You will be presented with a security verification screen, click `Run`.
|
|
|
|

|
|
|
|
Select your language, click `OK`.
|
|
|
|

|
|
|
|
A welcome screen will appear, click `Next`.
|
|
|
|

|
|
|
|
Now you will see the component selection screen, you must at least leave `Kleopatra` checked for this guide. Make your selections, click `Next`.
|
|
|
|

|
|
|
|
It is best to leave the default installation location unless you know what you are doing. Make your selections, click `Install`.
|
|
|
|

|
|
|
|
Installation has completed, click `Next`.
|
|
|
|

|
|
|
|
Click `Finish`.
|
|
|
|

|
|
|
|
## 2. Monero Signing Key
|
|
|
|
This section will cover downloading the Monero signing key, verifying that the key is correct, and then importing the key to your keyring. The hash file that will be used to verify your binary is cryptographically signed with the Monero signing key. In order to check the validity of this file you must have the public version of the signing key.
|
|
|
|
### 2.1. Download Signing Key
|
|
|
|
In a web browser, go to [Fluffypony's GPG key](https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/fluffypony.asc), which he uses for signing the Monero binaries. Right click on the page, choose `Save Page As`.
|
|
|
|

|
|
|
|
Leave the default location, click `Save`.
|
|
|
|

|
|
|
|
### 2.2. Initialize Kleopatra
|
|
|
|
If this is your first time using Kleopatra you will have to create a key pair for yourself.
|
|
|
|
Launch Kleopatra.
|
|
|
|

|
|
|
|
#### 2.2.1. Import Signing Key
|
|
|
|
Click `Import`.
|
|
|
|

|
|
|
|
Enter the directory `Downloads`, select `fluffypony`, and click `Open`.
|
|
|
|

|
|
|
|
Start the process of certifying the key by clicking `Yes`.
|
|
|
|

|
|
|
|
#### 2.2.2. Create Key Pair
|
|
|
|
Start the process of key creation by clicking `Yes`.
|
|
|
|

|
|
|
|
Fill in some details for `Name` and `Email`, click `Next`.
|
|
|
|

|
|
|
|
Verify details, click `Create`.
|
|
|
|

|
|
|
|
Set a password, click `OK`.
|
|
|
|

|
|
|
|
Click `Finish`.
|
|
|
|

|
|
|
|
### 2.3. Verify Signing Key
|
|
|
|
Visually check that the fingerprint of the key belonging to Riccardo Spagni is `BDA6BD7042B721C467A9759D7455C5E3C0CDCEB9`.
|
|
|
|

|
|
|
|
If the fingerprint **DOES** match, click `Next`.
|
|
|
|
If the fingerprint of this key **DOES NOT** match, **DO NOT CONTINUE**. Instead delete the file `fluffypony` from the `Downloads` directory and go back to [section 2.1](#21-download-signing-key).
|
|
|
|
Leave `Certify only for myself` selected, click `Certify`.
|
|
|
|

|
|
|
|
Enter your password, click `OK`.
|
|
|
|

|
|
|
|
Click `Finish`.
|
|
|
|

|
|
|
|
## 3. Hash File Verification
|
|
|
|
This section will cover downloading the signed file of known good hashes and verifying its authenticity.
|
|
|
|
### 3.1. Download Hash File
|
|
|
|
In a web browser, go to the [getmonero.org hash page]({{ site.baseurl }}/downloads/hashes.txt). Right click the page, select `Save Page As`.
|
|
|
|

|
|
|
|
Leave the default location, click `Save`.
|
|
|
|

|
|
|
|
### 3.2. Verify Hash File
|
|
|
|
In Kleopatra, click the `Decrypt/Verify` button.
|
|
|
|

|
|
|
|
Navigate to `Downloads` directory. Select `hashes` file, click `Open`.
|
|
|
|

|
|
|
|
Kleopatra will inform you if the files signature is valid.
|
|
|
|
If the signature is **VALID** you will see this:
|
|
|
|

|
|
|
|
If the signature is **INVALID** you will see this:
|
|
|
|

|
|
|
|
If you receive a **VALID** signature, click `Discard` and move on.
|
|
|
|
If you receive an **INVALID** signature, **DO NOT CONTINUE.** Instead delete the file `hashes` from the `Downloads` directory and go back to [section 3.1](#31-download-hash-file).
|
|
|
|
## 4. Binary File Verification
|
|
|
|
This section will cover downloading the Monero binary and verifying its authenticity.
|
|
|
|
### 4.1. Download Binary
|
|
|
|
In a web browser, go to the [getmonero.org downloads page]({{ site.baseurl }}/downloads/#windows). Select the correct binary for your system.
|
|
|
|

|
|
|
|
Leave `Save File` selected, click `OK`.
|
|
|
|

|
|
|
|
Leave the default location, click `Save`.
|
|
|
|

|
|
|
|
### 4.2. Verify Binary
|
|
|
|
In a file manager, navigate to `Downloads` directory. Open the file `hashes` with a word processor.
|
|
|
|

|
|
|
|
Open a terminal (`cmd.exe`).
|
|
|
|

|
|
|
|
Change to the `Downloads` directory with the command: `cd Downloads`.
|
|
|
|

|
|
|
|
Calculate the hash of the Monero binary with the command: `certUtil -hashfile monero-gui-win-x64-v0.11.1.0.zip SHA256` (if you downloaded a command-line only version, replace `monero-gui-win-x64-v0.11.1.0.zip` accordingly).
|
|
|
|

|
|
|
|
Compare the hash from the terminal with the one in the hash file. They should be the same (spaces can be ignored).
|
|
|
|

|
|
|
|
If your hash **DOES** match then you are finished with verification! You can be sure the Monero files you have are authentic. You may extract and install/use the files normally.
|
|
|
|
If your hash **DOES NOT** match **DO NOT CONTINUE.** Instead delete the Monero binary from the `Downloads` directory and go back to [section 4.1](#41-download-binary).
|