Who signs Dash releases and where is the PGP public key file?

Sven

Member
Aug 15, 2017
66
28
58
I see a new wallet release on https://www.dash.org/wallets/ That page also offers a hash file SHA256SUMS.asc to verify the integrity of the releases. The hash file is signed in PGP. So far so good.

I'm using GPG Tools on a Mac and it complains:
"Verification FAILED: Signature can not be verified, because the corresponding public key is missing."

I spent the last 15 minutes looking for a signing policy and/or the proper key files and couldn't find any. So my questions:
  • Who is authorized to sign Dash releases?
  • What is the fingerprint of that person's public key? (The email address is not good enough, as it's trivial for anyone to generate a PGP key pair for any email address.)
  • Is there a policy document or a page where this info is easily accessible and any changes would be noticed?
 

strophy

Administrator
Dash Core Team
Dash Support Group
Feb 13, 2016
772
453
133
@UdjinM6 currently signs the SHA256SUMS.asc file to verify the integrity of the builds. His PGP public key fingerprints are available at https://keybase.io/udjinm6

You can verify the authenticity of the file using the following commands (for Linux, macOS should be similar if not identical):

Code:
curl https://keybase.io/udjinm6/pgp_keys.asc | gpg --import
wget https://github.com/dashpay/dash/releases/download/v0.12.3.1/SHA256SUMS.asc
gpg --verify SHA256SUMS.asc
This procedure is documented at https://docs.dash.org/en/latest/masternodes/setup.html#option-2-manual-installation and possibly also in the release documentation on GitHub.
 

Sven

Member
Aug 15, 2017
66
28
58
Thanks!
This information should be posted on the download pages or at least be linked to from there.
 

Antti Kaikkonen

Active Member
Jun 20, 2017
258
170
103
dashradar.com
Dash Address
XnZdwT1w2kGeH6RujwoyJ7BBNrukdyTBRB
I have a related question:

Is it possible to compile from the source code to produce exactly the same file? This way multiple people could verify that the release isn't modified.
 

nmarley

Administrator
Core Developer
Dash Core Team
Moderator
Jun 28, 2014
369
427
133
I have a related question:

Is it possible to compile from the source code to produce exactly the same file? This way multiple people could verify that the release isn't modified.
Yes, this is what Gitian does, and how our developers verify the builds themselves. The developers' Gitian signatures can be found here: https://github.com/dashpay/gitian.sigs