-
Notifications
You must be signed in to change notification settings - Fork 40
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: update instructions for verifying binaries (#127)
These instructions link to the new documentation page for verifying binaries, but shorthand instructions are still provided.
- Loading branch information
1 parent
ac508d3
commit 22b97f7
Showing
1 changed file
with
57 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,50 +19,73 @@ Notes for the current and previous releases can be found in the [Release Notes]( | |
|
|
||
| ## Verifying Binaries | ||
|
|
||
| Each release contains a manifest file with sha256 hashes for the | ||
| binaries in that release. To verify these, you will need: | ||
| For your security, we recommend that you verify binaries before running them. | ||
| Each release contains a manifest file with SHA-256 hashes for each released | ||
| binary. To ensure your downloads are authentic, you should verify that the | ||
| manifest file is signed by `[email protected]`, and that your hashed binary | ||
| matches the manifest. | ||
|
|
||
| * SHA256 - Once you download your file(s), you need to check their | ||
| SHA256 hashes, so you may need to download a tool to do this, | ||
| depending on your OS. | ||
| * GnuPG or PGP - This is required to import public keys and verify | ||
| signatures. Examples below use GnuPG. | ||
| Detailed instructions can be found in the Decred Documentation: | ||
| [Verifying Binaries](https://docs.decred.org/advanced/verifying-binaries/). | ||
| New users should start there. | ||
|
|
||
| The steps to verify the binaries are as follows: | ||
| If you've already done this before and you still have the Decred Release keys | ||
| on your GnuPG keyring, the following shorthand instructions are provided as a | ||
| quick refresher: | ||
|
|
||
| 1. Download the file manifest, the signature for the file manifest, and the zip/tarball for your OS from here. | ||
| 2. Obtain the SHA256 value for the zip/tarball for your OS and check that it matches the value in the file manifest, e.g. for 64-bit Linux | ||
| 1. Download: | ||
|
|
||
| * The zip/tarball for your specific OS / architecture | ||
| * The file manifest and hashes, ending in `-manifest.txt` | ||
| * The signature for the manifest, ending in `-manifest.txt.asc` | ||
|
|
||
| 2. Verify that the manifest was directly signed by the Decred project: | ||
|
|
||
| ``` | ||
| $ sha256sum linux-amd64-20160127-02.tar.gz | ||
| 8ffaa268a329890ebf0f96b3cd1bc9f69359e431edbb95d89cec5a605108574b linux-amd64-20160127-02.tar.gz | ||
| $ gpg --verify <your manifest.txt.asc file> | ||
| ``` | ||
|
|
||
| 3. Import the Decred Release Signing Key in GnuPG. | ||
| Example output: | ||
| ``` | ||
| $ gpg --keyserver pgp.mit.edu --recv-keys 0x518A031D | ||
| gpg: requesting key 518A031D from hkp server pgp.mit.edu | ||
| gpg: /home/user/.gnupg/trustdb.gpg: trustdb created | ||
| gpg: key 7608AF04: public key "Decred Release <[email protected]>" imported | ||
| gpg: Total number processed: 1 | ||
| gpg: imported: 1 (RSA: 1) | ||
| ``` | ||
| 4. Verify the signature for the file manifest is valid and created by | ||
| the Decred Release Signing Key. | ||
|
|
||
| ``` | ||
| $ gpg --verify manifest-20160127-02.txt.asc | ||
| gpg: assuming signed data in `manifest-20160127-02.txt' | ||
| gpg: Signature made Wed 27 Jan 2016 08:56:59 PM UTC using RSA key ID 518A031D | ||
| gpg: Good signature from "Decred Release <[email protected]>" | ||
| gpg: WARNING: This key is not certified with a trusted signature! | ||
| gpg: There is no indication that the signature belongs to the owner. | ||
| Primary key fingerprint: FD13 B683 5E24 8FAF 4BD1 838D 6DF6 34AA 7608 AF04 | ||
| Subkey fingerprint: F516 ADB7 A069 852C 7C28 A02D 6D89 7EDF 518A 031D | ||
| gpg: assuming signed data in 'decred-v1.5.1-manifest.txt' | ||
| gpg: Signature made 01/29/20 15:17:58 Eastern Standard Time | ||
| gpg: using RSA key F516ADB7A069852C7C28A02D6D897EDF518A031D | ||
| gpg: Good signature from "Decred Release <[email protected]>" [unknown] | ||
| gpg: WARNING: This key is not certified with a trusted signature! | ||
| gpg: There is no indication that the signature belongs to the owner. | ||
| Primary key fingerprint: FD13 B683 5E24 8FAF 4BD1 838D 6DF6 34AA 7608 AF04 | ||
| Subkey fingerprint: F516 ADB7 A069 852C 7C28 A02D 6D89 7EDF 518A 031D | ||
| ``` | ||
|
|
||
| The zip or tarball with binaries for your platform is now verified and | ||
| you can be confident they were generated by the Decred team. | ||
| If you see `Good signature from "Decred Release <[email protected]>"`, then | ||
| you're successful! You can trust that the `manifest.txt` came directly from the | ||
| Decred project. | ||
|
|
||
| 3. Verify that the hash of your downloaded zip/tarball matches the manifest hash: | ||
|
|
||
| * Windows: | ||
|
|
||
| * If you have [7-Zip](https://7-zip.org/) installed, simply open up Windows | ||
| Explorer, right click on the file, mouseover `CRC SHA`, then click `SHA-256`. | ||
|
|
||
| * `$ certutil -hashfile <your file> SHA256` | ||
|
|
||
| * macOS | ||
|
|
||
| * `$ shasum -a 256 <your file>` | ||
|
|
||
| * Linux | ||
|
|
||
| * `$ sha256sum <your file>` | ||
|
|
||
| Example output: | ||
| ``` | ||
| 0c43caffa428cebb8a4d3c8efb2a341220fd1c232640ff3b4403ff67e1873e1a decred-linux-amd64-v1.5.1.tar.gz | ||
| ``` | ||
|
|
||
| If your output hash matches the hash from the manifest, you're done! The binary | ||
| for your platform is now verified and you can be confident it was generated by | ||
| the Decred Project. It's safe to install the software. | ||
|
|
||
| ## Source code | ||
|
|
||
|
|
||