Verifying Dash Code QT installer's integrity with GnuPG

cibrigue

New Member
Mar 20, 2017
25
12
3
Hi!


I'm new to Dash, and I have just downloaded the Dash Core Win/64 installer v12.1.3.

I already had GnuPG so I run this in my download folder where my installer and hash files were:
gpg2.exe --verify SHA256SUMS.asc

And got this:
gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
gpg: Can't check signature: No public key


So my understanding is that the SHA-256 hash matches, but the installer is not signed. Is this normal for the Dash Core client, can I trust it? Can/should I run any other tests before installing?
 

flare

Administrator
Dash Core Team
Moderator
May 18, 2014
2,286
2,404
1,183
Germany
Hi!


I'm new to Dash, and I have just downloaded the Dash Core Win/64 installer v12.1.3.

I already had GnuPG so I run this in my download folder where my installer and hash files were:
gpg2.exe --verify SHA256SUMS.asc

And got this:
gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
gpg: Can't check signature: No public key


So my understanding is that the SHA-256 hash matches, but the installer is not signed. Is this normal for the Dash Core client, can I trust it? Can/should I run any other tests before installing?
The file is signed, you are just missing my public key in your keyring.

Do

Code:
gpg2.exe --recv-keys BD8DF332
and retry.
 
  • Like
Reactions: tungfa and UdjinM6

cibrigue

New Member
Mar 20, 2017
25
12
3
Thank you, it worked!

For future reference, I needed to also set the keyserver in my case. So to import your key:
Code:
gpg2.exe --keyserver pgp.mit.edu --recv-keys BD8DF332
And then to verify the signature of dashcore-0.12.1.3-win64-setup.exe:
Code:
gpg2.exe --verify SHA256SUMS.asc
I got the following response:
Code:
gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
gpg: Good signature from "Holger Schinzel <[email protected]>" [unknown]
gpg:                 aka "Holger Schinzel <[email protected]>" [unknown]
gpg:                 aka "Holger Schinzel <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AF1A E13F 33D0 6F48 7F23  DC81 4B88 269A BD8D F332
 

Voluntary

Member
May 14, 2016
109
37
78
Dash Address
XivwUmSu5davqhqc3BX1j4w6dskzNFihQQ
Thank you - I needed a refresher on this. btw The page I just got the PGP signature from doesn't seem to indicate how to get the appropriate public key - which seems kinda backward...