Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Who signs Dash releases and where is the PGP public key file?

Discussion in 'Miscellaneous Dash Support Questions' started by Sven, Jul 7, 2018.

  1. Sven

    Sven New Member
    Masternode Owner/Operator

    Joined:
    Aug 15, 2017
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    I see a new wallet release on https://www.dash.org/wallets/ That page also offers a hash file SHA256SUMS.asc to verify the integrity of the releases. The hash file is signed in PGP. So far so good.

    I'm using GPG Tools on a Mac and it complains:
    "Verification FAILED: Signature can not be verified, because the corresponding public key is missing."

    I spent the last 15 minutes looking for a signing policy and/or the proper key files and couldn't find any. So my questions:
    • Who is authorized to sign Dash releases?
    • What is the fingerprint of that person's public key? (The email address is not good enough, as it's trivial for anyone to generate a PGP key pair for any email address.)
    • Is there a policy document or a page where this info is easily accessible and any changes would be noticed?
     
  2. strophy

    strophy Administrator
    Dash Core Team Dash Support Group Moderator

    Joined:
    Feb 13, 2016
    Messages:
    426
    Likes Received:
    213
    Trophy Points:
    113
    @UdjinM6 currently signs the SHA256SUMS.asc file to verify the integrity of the builds. His PGP public key fingerprints are available at https://keybase.io/udjinm6

    You can verify the authenticity of the file using the following commands (for Linux, macOS should be similar if not identical):

    Code:
    curl https://keybase.io/udjinm6/pgp_keys.asc | gpg --import
    wget https://github.com/dashpay/dash/releases/download/v0.12.3.1/SHA256SUMS.asc
    gpg --verify SHA256SUMS.asc
    
    This procedure is documented at https://docs.dash.org/en/latest/masternodes/setup.html#option-2-manual-installation and possibly also in the release documentation on GitHub.
     
    • Like Like x 3
    • Informative Informative x 2
  3. Sven

    Sven New Member
    Masternode Owner/Operator

    Joined:
    Aug 15, 2017
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Thanks!
    This information should be posted on the download pages or at least be linked to from there.
     
    • Agree Agree x 1
  4. Antti Kaikkonen

    Antti Kaikkonen Active Member

    Joined:
    Jun 20, 2017
    Messages:
    184
    Likes Received:
    131
    Trophy Points:
    103
    I have a related question:

    Is it possible to compile from the source code to produce exactly the same file? This way multiple people could verify that the release isn't modified.
     
  5. nmarley

    nmarley Administrator
    Dash Core Team Moderator

    Joined:
    Jun 28, 2014
    Messages:
    335
    Likes Received:
    399
    Trophy Points:
    133
    Dash Address:
    XdBKajV4g2wnpnAvvnV9dxwypQMfFHYWtp
    • Useful Useful x 1
  6. nmarley

    nmarley Administrator
    Dash Core Team Moderator

    Joined:
    Jun 28, 2014
    Messages:
    335
    Likes Received:
    399
    Trophy Points:
    133
    Dash Address:
    XdBKajV4g2wnpnAvvnV9dxwypQMfFHYWtp
    Yes, this is what Gitian does, and how our developers verify the builds themselves. The developers' Gitian signatures can be found here: https://github.com/dashpay/gitian.sigs
     
    • Informative Informative x 1

Share This Page