I have wanted to learn how to verify with software for a while because I have a habit of erasing my laptop from time to time, and I need to make sure I'm backing up EVERYTHING since I'm often on the road exploringโif anything happens, that might be lead to many problems, but I'm the one to be blamed; For example, I had forgotten to backup some articles before, and they are gone, so I need to make sure I'm more antifragile by constantly testing my own backup with erasing.
The second reason is when you are around Bitcoiners so much with all the verifying, you really want to make sure all the software you use is genuine. Also, I've stopped using the Apple Store for a while, downloading software from sites could be risky, even though I do verify the URLs, but you never know! So one of the to-does for me is to learn how to verify software because I need to download again every time. I shared some of the questions I had in the saloon, and @ek patiently wrote this guide on how to verify better, so I'm writing down a more detailed article to help others who also want to learn the art of verifying. ๐
Why Verify
I'm not going to focus on the why here, but if you are a Bitcoiner, you know the why - don't trust, verify, especially with all the phishing sites and malicious software these days.
Also, if you think this is way above your head or is not for a normal person, I'm happy to tell you that I don't have any coding skills, but I'm willing to test and learnโso if I can do it, you can too!
What to Verify ( Important! )
When I started dipping my toe into verifying, I didn't know what I should verify at all. ๐ but then I read a few docs and followed some of the official guides from the software that I use, and of course, this good piece from @ek; I figured it's actually needed to verify two things when it comes to verifying software:
1. The
public key, which is used to sign the software release.When importing a public key, you should check the fingerprint to verify it's the correct public key and ideally from independent sources, and from more sources, the more trusted.
2. The
signatures.Digital signatures are commonly used to ensure the integrity and authenticity of software. When you verify a digital signature, you make sure that the software was created by the person you trust and think it was created by (authenticity) and that it was not modified (integrity). You usually download the signature from the same location as the software.
explained by @ek
There is also a tricky part: if the signature file name (ASC) does not match the dmg file that you downloaded, you need to do one more step for the checksum verification, which verifies the hashes, and it usually shows in the site too when you need to do this step. ( unfortunately, I'm not that technical being able to explain this, feel free to chip in. )
The Setup
In order to verify, we need to install the tools first, home brew and gnupg ( Or install GPG Suite if you are also using a Mac ) but I recommend using the terminal for more solid learning.
The homebrew is quite easy to install, all you need is to put these codes into the terminal, wait a bit and done ( $ means "run this in terminal" )
1. Install homebrew
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
for better privacy enter
brew analytics off2. Install gnupg
$ brew install gnupg
that's it, you are all set! time to explore the fun. ๐ฅ
Since I'm using a Mac, this experience is based on the Mac system; feel free to pill me other fun!
Learning by Doing
You can't learn swimming from reading, and talking is cheap; I'm going to use two of my favorite Bitcoin desktop wallets as examples for everyone to follow along and do the verification yourself.
For simplicity, we are only using a terminal as practice here.
Practice A. Electrum Wallet
Here is the guide linked to the site on how to verify:
1. Download the Software and the Signature next to it.
Be sure to put both in the same folder, e.g. in the download folder.
2. Check different sources of the fingerprint to verify the signer's public key.
In order to import from PUBLIC KEY BLOCK, run
gpg --import copy the block and paste in the terminal and then CTRL+D.And do one more step, to make sure that you imported the correct key.
$ gpg --fingerprint thomasv@electrum.org pub rsa4096 2011-06-15 [SC] 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 uid [ unknown] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org> uid [ unknown] ThomasV <thomasv1@gmx.de> uid [ unknown] Thomas Voegtlin <thomasv1@gmx.de> sub rsa4096 2011-06-15 [E]
All fingerprints are matched:
6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6, good!3. Verify the signed file.
Put these two lines of code into terminal:
$ cd Downloads $ gpg --verify electrum-4.5.3.dmg.asc gpg: assuming signed data in 'electrum-4.5.3.dmg' gpg: Signature made Fri 23 Feb 12:32:06 2024 +03 gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C gpg: Good signature from "Stephan Oeste (it) <it@oeste.de>" [unknown] gpg: aka "Stephan Oeste (Master-key) <stephan@oeste.de>" [unknown] gpg: aka "Emzy E. (emzy) <emzy@emzy.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9EDA FF80 E080 6596 04F4 A76B 2EBB 056F D847 F8A7 Subkey fingerprint: 637D B1E2 3370 F84A FF88 CCE0 3152 347D 07DA 627C gpg: Signature made Fri 23 Feb 03:00:55 2024 +03 gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0EED CFD5 CAFB 4590 6734 9B23 CA9E EEC4 3DF9 11DC gpg: Signature made Fri 23 Feb 02:46:47 2024 +03 gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown] gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
If you see " gpg: WARNING: This key is not certified with a trusted signature! " which means you didn't mark the public key as trusted, then you can run
gpg --edit-key thomasv@electrum.org , enter trust and choose the numbers.pub rsa4096/2BD5824B7F9470E6 created: 2011-06-15 expires: never usage: SC trust: full validity: unknown sub rsa4096/1A25C4602021CD84 created: 2011-06-15 expires: never usage: E [ unknown] (1). Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org> [ unknown] (2) ThomasV <thomasv1@gmx.de> [ unknown] (3) Thomas Voegtlin <thomasv1@gmx.de> gpg> trust pub rsa4096/2BD5824B7F9470E6 created: 2011-06-15 expires: never usage: SC trust: full validity: unknown sub rsa4096/1A25C4602021CD84 created: 2011-06-15 expires: never usage: E [ unknown] (1). Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org> [ unknown] (2) ThomasV <thomasv1@gmx.de> [ unknown] (3) Thomas Voegtlin <thomasv1@gmx.de> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision?
now run it again. ( from my testing, if you want to make this warning disappear, you need to set the trust to "5 = I trust ultimately." )
And done! safe to install it now.
Practice B. Sparrow Wallet
Here is the Official guide on how to verify.
1. Download the Software, the Manifest Signature, and the Manifest next to it.
Be sure to put all the them in the same folder, e.g. in the download folder.
2.Check different sources of the fingerprint to verify the signer's public key.
And do one more step, to make sure that you imported the correct key.
$ gpg --fingerprint craig@sparrowwallet.com pub rsa4096 2019-10-03 [SC] [expires: 2027-09-18] D4D0 D320 2FC0 6849 A257 B38D E946 1833 4C67 4B40 uid [ unknown] Craig Raw <craig@sparrowwallet.com> sub rsa4096 2019-10-03 [E] [expires: 2027-09-18]
All fingerprints are matching:
D4D0 D320 2FC0 6849 A257 B38D E946 1833 4C67 4B40 good!3. Verify the signed file.
Put these two lines of code into terminal:
$ cd Downloads $ gpg --verify sparrow-1.8.2-manifest.txt.asc gpg: assuming signed data in 'sparrow-1.8.2-manifest.txt' gpg: Signature made Thu Jan 18 13:35:34 2024 +03 gpg: using RSA key D4D0D3202FC06849A257B38DE94618334C674B40 gpg: Good signature from "Craig Raw <craig@sparrowwallet.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D4D0 D320 2FC0 6849 A257 B38D E946 1833 4C67 4B40
You have now verified the signature of the manifest file, which ensures integrity and authenticity of the manifest file - not the binaries!
explained by Sparrow
4. Verify the hashes.
I can see that I need to verify the hashes because the name of the signature file is different from the software, which means need to do one more step; Simply copy and paste this code into terminal:
shasum --check sparrow-1.8.2-manifest.txt --ignore-missing$ shasum --check sparrow-1.8.2-manifest.txt --ignore-missing Sparrow-1.8.2.dmg: OK
And done! safe to install it now.
๐ต๐ผ The Art of Verifying
1. Download the Software and the Signature next to it.
Be sure to put both in the same folder, e.g. in the download folder.
2. Check different sources of the fingerprint to verify the signer's public key.
Good places to look are Github, Keybase, KeyServer, and different socials. Generally, the more sources showing the same key, the more trusted.
3. Verify the signed file.
-- If the signature file name ( asc ) matches the dmg file that you downloaded, then run this:
$ gpg --verify {filename}.asc-- if the signature file name ( asc ) does not match the dmg file that you downloaded, get the sha256 and additionally run this:
$ cd Downloads$ echo "{hash} {filename}" | shasum -a 256 -c -And congrats! now you've learned how to verify two of the best and most important Bitcoin wallets! Feel free to ask if there are any questions or point out any mistakes, as I'm still new in this verifying, and stay tuned for more:)
https://. This is important since TLS (HTTPS = HTTP + TLS) is not only about encryption (confidentiality) but also about integrity and authenticity, the "CIA triad":Footnotes