• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Verifying Dash Code QT installer's integrity with GnuPG

cibrigue

New member
Hi!


I'm new to Dash, and I have just downloaded the Dash Core Win/64 installer v12.1.3.

I already had GnuPG so I run this in my download folder where my installer and hash files were:
gpg2.exe --verify SHA256SUMS.asc

And got this:
gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
gpg: Can't check signature: No public key


So my understanding is that the SHA-256 hash matches, but the installer is not signed. Is this normal for the Dash Core client, can I trust it? Can/should I run any other tests before installing?
 
Hi!


I'm new to Dash, and I have just downloaded the Dash Core Win/64 installer v12.1.3.

I already had GnuPG so I run this in my download folder where my installer and hash files were:
gpg2.exe --verify SHA256SUMS.asc

And got this:
gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
gpg: Can't check signature: No public key


So my understanding is that the SHA-256 hash matches, but the installer is not signed. Is this normal for the Dash Core client, can I trust it? Can/should I run any other tests before installing?

The file is signed, you are just missing my public key in your keyring.

Do

Code:
gpg2.exe --recv-keys BD8DF332

and retry.
 
Thank you, it worked!

For future reference, I needed to also set the keyserver in my case. So to import your key:
Code:
gpg2.exe --keyserver pgp.mit.edu --recv-keys BD8DF332

And then to verify the signature of dashcore-0.12.1.3-win64-setup.exe:
Code:
gpg2.exe --verify SHA256SUMS.asc

I got the following response:
Code:
gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
gpg: Good signature from "Holger Schinzel <[email protected]>" [unknown]
gpg:                 aka "Holger Schinzel <[email protected]>" [unknown]
gpg:                 aka "Holger Schinzel <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AF1A E13F 33D0 6F48 7F23  DC81 4B88 269A BD8D F332
 
Thank you - I needed a refresher on this. btw The page I just got the PGP signature from doesn't seem to indicate how to get the appropriate public key - which seems kinda backward...
 
Back
Top