Verifying wallet downloads

Sven

Member
Aug 15, 2017
67
28
58
Several wallets on the official directory on https://www.dash.org/downloads/ offer separate signature files (Installer Signature). Trying to verify these signatures fails because I have no idea who is supposed to be the correct signer and I don't have their public key:
Screen Shot 2022-01-04 at 15.32.06.png


Where can I find those keys?
 

dashfriend_

New Member
Feb 11, 2021
4
6
3
Hi Sven,

looking at your screenshot, I'm assuming you want to verify the signatures for the macOS binaries. You can basically follow the guide for Linux on https://docs.dash.org/en/stable/wallets/electrum/installation.html#download and modify it for the use on macOS.

Depending on your setup, you'll have to install a few tools beforehand. You'll need GnuPG (https://gnupg.org/) for verifying signatures. If you don't have GnuPG installed yet, you could install it using Homebrew (https://brew.sh/). There's also an alternative software package called GPGTools (https://gnupg.org/), but I haven't used them since they changed their terms of distribution.

Assuming you have Homebrew installed, you can install GnuPG by opening a terminal and running:
brew install gnupg

If you don't have Homebrew installed yet, you can do this by running the following command taken from the Homebrew website:
/bin/bash -c "$(curl -fsSL xttps://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Homebrew will need the Apple Xcode Command Line Tools. If you don't have them installed, you can get them by running
xcode-select –install
or by installing XCode from the Apple App Store.

Once you have everything set up, you can go ahead and download the binary as well as the signature by running:
wget xttps://github.com/akhavr/electrum-dash/releases/download/4.1.5.0/Dash-Electrum-4.1.5.0-macosx.dmg
wget xttps://github.com/akhavr/electrum-dash/releases/download/4.1.5.0/Dash-Electrum-4.1.5.0-macosx.dmg.asc


Then you can import akhavr's key by running:
curl xttps://keybase.io/akhavr/pgp_keys.asc | gpg --import

Finally you can verify the binary by running:
gpg --verify Dash-Electrum-4.1.5.0-macosx.dmg.asc

GPG will tell you if the signature is correct.
 

Sven

Member
Aug 15, 2017
67
28
58
You can learn how to verify signatures for Dash Core and Dash Electrum in the wallet documentation here (check the respective "Installation" sections): https://docs.dash.org/en/stable/wallets/index.html
Thanks for your and the other responses!

I know how PGP and verifying signatures works. That's not my problem. My problem is that the necessary keys are not posted on the download site and I have / had no idea where to find them.

Now digging around a bit under the link you provided, I see Codablock's and Pasta's key listed. So that helps, but...
  • those keys shouldn't be so hidden, several levels deep in a documentation repository. They need to be accessible from the download site.
  • AFAIK, Codablock is not with Dash anymore, so I'm not even sure the listed keys are current and accurate.
  • those two cover only Dash Core downloads. What about other apps, e.g. Electrum?
 

Sven

Member
Aug 15, 2017
67
28
58
@dashfriend_ thank you very much for instruction much more detailed that I could write :)
Since those instructions were posted by someone else, can you please confirm that keybase.io/akhavr/pgp_keys.asc is really your key?

If it is, please make it more accessible on the download site.
 

akhavr

Active Member
Oct 11, 2014
837
414
133
Since those instructions were posted by someone else, can you please confirm that keybase.io/akhavr/pgp_keys.asc is really your key?

If it is, please make it more accessible on the download site.
Yes, that's me. Will talk to the team, that maintains download pages.