Verifying the Firmware

PreviousUpdating the Firmware NextWallet backup basics

Last updated 3 years ago

Was this helpful?

Verifying the Firmware

For Mac users

Confirming the Hash

You will need to download in order to complete the PGP signature verification.
Open to view its contents.
Open the Terminal, navigate to the directory where you saved the firmware and use the command shasum -a256 20...-coldcard.dfu and hit the 'Enter' key on your keyboard.
- The file should be in your downloads folder, so type cd downloads in the Terminal in order to go to that directory.
- The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the result in your Terminal with the line of text in the signatures.txt file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md line).

The hash is confirmed if the values are the same.

Verifying the PGP Signature

Save the file in the same location as the new firmware file.
- This should be in the 'Downloads' folder.
- To save it, right click on the page and select 'Save page as'.
Save the as a .txt file in the same location as the firmware and signatures.txt files.
- To save it, right click on the page and select 'Save page as'.
Open GPG Keychain.
Click the Import button and navigate to the file saved in step 2 called lookup. Select the file and click Open. A pop-up message should appear saying "Import successful".
- You will have the fingerprint from Peter D. Gray
Open Terminal and make sure you are in the correct directory by typing cd downloads
Enter gpg --verify signatures.txt in the Terminal.
The output in Terminal should include Good signature from...and should include the following RSA key : 4589 779A DFC1 4F33 2753 4EA8 A3A3 1BAD 5A2A 5B10

It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.You can ignore this, the signature has been verified!

For Linux Users

Confirming the Hash

Use the command line to navigate to the directory where you saved the firmware and enter the command sha256sum 20...-coldcard.dfu.
- The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the result in your Terminal with the line of text in the signatures.txt file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md line).
The hash is confirmed if the values are the same.

Verifying the PGP Signature

On the command line, enter curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xA3A31BAD5A2A5B10" | gpg --import to import the public key.
Next, enter gpg --verify signatures.txt to verify the file's signature versus its content.
The command output should include Good signature from....

For Windows Users

Kleopatra requires you to have an OpenPGP signature to complete verification. If you don't have a signature to import, you can make one in Kleopatra.

Confirming the Hash

Open Command Prompt and enter certutil -hashfile C:\..\20...-coldcard.dfu SHA256, where C:\..\20...-coldcard.dfu is the full path to the saved firmware file.
- The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the output values in Command Prompt with the line of text in the signatures.txt file next to the firmware version you saved. The hash is confirmed if the values are the same.

The hash is confirmed if the values are the same.

Verifying the PGP Signature

Open Kleopatra and click Import....
Navigate to the public key .asc file and open it.
You will be asked to check the fingerprint of the file and given suggested options. The Keybase public key window is the trusted website. Click Yes.
A Certify Certificate window will show the file's fingerprint, your certification, and the fingerprint's owner - in this case, Peter D. Gray. Resize or reposition the Certify Certificate window and the browser window opened in step 3 so you can see them both at the same time.
Make sure the fingerprints in each window match and click Certify. If you have a passphrase on your certificate, you'll be asked to enter it. A pop-up box should appear saying, "Certification successful." Click Ok.
Click Decrypt/Verify... and open signatures.asc.
Kleopatra will verify the signature. You may save or discard the file Kleopatra generates, it is not needed.

The signature is verified.

PreviousUpdating the Firmware NextWallet backup basics

Last updated 3 years ago

Was this helpful?

For Mac users

Confirming the Hash

You will need to download in order to complete the PGP signature verification.
Open to view its contents.
Open the Terminal, navigate to the directory where you saved the firmware and use the command shasum -a256 20...-coldcard.dfu and hit the 'Enter' key on your keyboard.
- The file should be in your downloads folder, so type cd downloads in the Terminal in order to go to that directory.
- The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the result in your Terminal with the line of text in the signatures.txt file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md line).

The hash is confirmed if the values are the same.

Verifying the PGP Signature

Save the file in the same location as the new firmware file.
- This should be in the 'Downloads' folder.
- To save it, right click on the page and select 'Save page as'.
Save the as a .txt file in the same location as the firmware and signatures.txt files.
- To save it, right click on the page and select 'Save page as'.
Open GPG Keychain.
Click the Import button and navigate to the file saved in step 2 called lookup. Select the file and click Open. A pop-up message should appear saying "Import successful".
- You will have the fingerprint from Peter D. Gray
Open Terminal and make sure you are in the correct directory by typing cd downloads
Enter gpg --verify signatures.txt in the Terminal.
The output in Terminal should include Good signature from...and should include the following RSA key : 4589 779A DFC1 4F33 2753 4EA8 A3A3 1BAD 5A2A 5B10

For Linux Users

Confirming the Hash

Open so you can view its contents.
Use the command line to navigate to the directory where you saved the firmware and enter the command sha256sum 20...-coldcard.dfu.
- The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the result in your Terminal with the line of text in the signatures.txt file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md line).
The hash is confirmed if the values are the same.

Verifying the PGP Signature

Save the file in the same location as the new firmware file.
On the command line, enter curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xA3A31BAD5A2A5B10" | gpg --import to import the public key.
Next, enter gpg --verify signatures.txt to verify the file's signature versus its content.
The command output should include Good signature from....

For Windows Users

These instructions use Kleopatra, which is a part of . You only need the GnuPG Privacy Guard and Kleopatra components to verify the PGP signature.

Kleopatra requires you to have an OpenPGP signature to complete verification. If you don't have a signature to import, you can make one in Kleopatra.

Confirming the Hash

Open so you can view its contents.
Open Command Prompt and enter certutil -hashfile C:\..\20...-coldcard.dfu SHA256, where C:\..\20...-coldcard.dfu is the full path to the saved firmware file.
- The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the output values in Command Prompt with the line of text in the signatures.txt file next to the firmware version you saved. The hash is confirmed if the values are the same.

The hash is confirmed if the values are the same.

Verifying the PGP Signature

Save the text from with an .asc file extension in the same location as the saved firmware file. Do not save the file as .txt, Kleopatra will not recognize it.
Save the as an .asc file in the same location as the firmware and signatures.asc files.
Open a browser and go to . Click on the text next to the key icon to open the public key window. You will need this window for a later step.
Open Kleopatra and click Import....
Navigate to the public key .asc file and open it.
You will be asked to check the fingerprint of the file and given suggested options. The Keybase public key window is the trusted website. Click Yes.
A Certify Certificate window will show the file's fingerprint, your certification, and the fingerprint's owner - in this case, Peter D. Gray. Resize or reposition the Certify Certificate window and the browser window opened in step 3 so you can see them both at the same time.
Make sure the fingerprints in each window match and click Certify. If you have a passphrase on your certificate, you'll be asked to enter it. A pop-up box should appear saying, "Certification successful." Click Ok.
Click Decrypt/Verify... and open signatures.asc.
Kleopatra will verify the signature. You may save or discard the file Kleopatra generates, it is not needed.

The signature is verified.