Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Verifying Dash Code QT installer's integrity with GnuPG

Discussion in 'Daemon and QT Wallet Support' started by cibrigue, Mar 20, 2017.

  1. cibrigue

    cibrigue New Member

    Joined:
    Mar 20, 2017
    Messages:
    25
    Likes Received:
    12
    Trophy Points:
    3
    Hi!


    I'm new to Dash, and I have just downloaded the Dash Core Win/64 installer v12.1.3.

    I already had GnuPG so I run this in my download folder where my installer and hash files were:
    gpg2.exe --verify SHA256SUMS.asc

    And got this:
    gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
    gpg: Can't check signature: No public key


    So my understanding is that the SHA-256 hash matches, but the installer is not signed. Is this normal for the Dash Core client, can I trust it? Can/should I run any other tests before installing?
     
  2. flare

    flare Administrator
    Dash Core Team Moderator

    Joined:
    May 18, 2014
    Messages:
    2,287
    Likes Received:
    2,406
    Trophy Points:
    1,183
    The file is signed, you are just missing my public key in your keyring.

    Do

    Code:
    gpg2.exe --recv-keys BD8DF332
    and retry.
     
    • Like Like x 2
    • Informative Informative x 2
  3. cibrigue

    cibrigue New Member

    Joined:
    Mar 20, 2017
    Messages:
    25
    Likes Received:
    12
    Trophy Points:
    3
    Thank you, it worked!

    For future reference, I needed to also set the keyserver in my case. So to import your key:
    Code:
    gpg2.exe --keyserver pgp.mit.edu --recv-keys BD8DF332
    And then to verify the signature of dashcore-0.12.1.3-win64-setup.exe:
    Code:
    gpg2.exe --verify SHA256SUMS.asc
    I got the following response:
    Code:
    gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
    gpg: Good signature from "Holger Schinzel <[email protected]>" [unknown]
    gpg:                 aka "Holger Schinzel <[email protected]>" [unknown]
    gpg:                 aka "Holger Schinzel <[email protected]>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: AF1A E13F 33D0 6F48 7F23  DC81 4B88 269A BD8D F332
    
     
    • Like Like x 3
  4. Voluntary

    Voluntary Member

    Joined:
    May 14, 2016
    Messages:
    109
    Likes Received:
    37
    Trophy Points:
    78
    Dash Address:
    XivwUmSu5davqhqc3BX1j4w6dskzNFihQQ
    Thank you - I needed a refresher on this. btw The page I just got the PGP signature from doesn't seem to indicate how to get the appropriate public key - which seems kinda backward...