LogoLogo
Go to Bitcoin Support Home
Coldcard Hardware Wallet
Coldcard Hardware Wallet
  • Why we recommend Coldcard
  • Guide Overview
  • Wasabi Wallet companion app
  • 🏰Security Overview
    • Is Coldcard secure?
    • Securing the wallet: overview of the basics
    • How people lose their Bitcoin
  • 🔐Create your wallet & backup
    • What you need
    • Initializing the device
    • Coldcard PIN Overview
    • PIN Steps
    • Updating the Firmware
      • Verifying the Firmware
    • Wallet backup basics
    • Create Wallet backup
      • Dice Roll Method (optional)
      • MicroSD backup (optional)
    • Seed XOR (optional)
      • Steps for Seed XOR
      • Restoring from Seed XOR
    • Passphrase Overview
    • Steps for adding a passphrase
      • Lockdown Seed
    • Installing Wasabi Wallet
      • Verifying Wasabi Wallet
    • Connecting to Wasabi Wallet
      • Air-Gapped Coldcard (optional)
  • ⛓️How to use Coldcard with Wasabi Wallet
    • Steps for receiving Bitcoin payments
    • Steps for sending Bitcoin
      • Privacy/Coin Control
      • PSBT Method (optional)
  • 🏹More Features
    • PIN Security Features
    • Power & Login
    • Address Explorer
    • BIP-85 Wallets
      • Using BIP-85 with Wasabi
  • ⚠️Summary
    • DO's & DONT's
Powered by GitBook
On this page
  • For Mac users
  • For Linux Users
  • For Windows Users

Was this helpful?

Export as PDF
  1. Create your wallet & backup
  2. Updating the Firmware

Verifying the Firmware

PreviousUpdating the FirmwareNextWallet backup basics

Last updated 3 years ago

Was this helpful?

For Mac users

Confirming the Hash

  1. You will need to download in order to complete the PGP signature verification.

  2. Open to view its contents.

  3. Open the Terminal, navigate to the directory where you saved the firmware and use the command shasum -a256 20...-coldcard.dfu and hit the 'Enter' key on your keyboard.

    • The file should be in your downloads folder, so type cd downloads in the Terminal in order to go to that directory.

    • The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.

  4. Compare the result in your Terminal with the line of text in the signatures.txt file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md line).

The hash is confirmed if the values are the same.

Verifying the PGP Signature

  1. Save the file in the same location as the new firmware file.

    • This should be in the 'Downloads' folder.

    • To save it, right click on the page and select 'Save page as'.

  2. Save the as a .txt file in the same location as the firmware and signatures.txt files.

    • To save it, right click on the page and select 'Save page as'.

  3. Open GPG Keychain.

  4. Click the Import button and navigate to the file saved in step 2 called lookup. Select the file and click Open. A pop-up message should appear saying "Import successful".

    • You will have the fingerprint from Peter D. Gray

  5. Open Terminal and make sure you are in the correct directory by typing cd downloads

  6. Enter gpg --verify signatures.txt in the Terminal.

  7. The output in Terminal should include Good signature from...and should include the following RSA key : 4589 779A DFC1 4F33 2753 4EA8 A3A3 1BAD 5A2A 5B10

It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.You can ignore this, the signature has been verified!

For Linux Users

Confirming the Hash

  1. Use the command line to navigate to the directory where you saved the firmware and enter the command sha256sum 20...-coldcard.dfu.

    • The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.

  2. Compare the result in your Terminal with the line of text in the signatures.txt file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md line).

    The hash is confirmed if the values are the same.

Verifying the PGP Signature

  1. On the command line, enter curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xA3A31BAD5A2A5B10" | gpg --import to import the public key.

  2. Next, enter gpg --verify signatures.txt to verify the file's signature versus its content.

  3. The command output should include Good signature from....

It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.You can ignore this, the signature has been verified!

For Windows Users

Kleopatra requires you to have an OpenPGP signature to complete verification. If you don't have a signature to import, you can make one in Kleopatra.

Confirming the Hash

  1. Open Command Prompt and enter certutil -hashfile C:\..\20...-coldcard.dfu SHA256, where C:\..\20...-coldcard.dfu is the full path to the saved firmware file.

    • The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.

  2. Compare the output values in Command Prompt with the line of text in the signatures.txt file next to the firmware version you saved. The hash is confirmed if the values are the same.

The hash is confirmed if the values are the same.

Verifying the PGP Signature

  1. Open Kleopatra and click Import....

  2. Navigate to the public key .asc file and open it.

  3. You will be asked to check the fingerprint of the file and given suggested options. The Keybase public key window is the trusted website. Click Yes.

  4. A Certify Certificate window will show the file's fingerprint, your certification, and the fingerprint's owner - in this case, Peter D. Gray. Resize or reposition the Certify Certificate window and the browser window opened in step 3 so you can see them both at the same time.

  5. Make sure the fingerprints in each window match and click Certify. If you have a passphrase on your certificate, you'll be asked to enter it. A pop-up box should appear saying, "Certification successful." Click Ok.

  6. Click Decrypt/Verify... and open signatures.asc.

  7. Kleopatra will verify the signature. You may save or discard the file Kleopatra generates, it is not needed.

The signature is verified.

Open so you can view its contents.

Save the file in the same location as the new firmware file.

These instructions use Kleopatra, which is a part of . You only need the GnuPG Privacy Guard and Kleopatra components to verify the PGP signature.

Open so you can view its contents.

Save the text from with an .asc file extension in the same location as the saved firmware file. Do not save the file as .txt, Kleopatra will not recognize it.

Save the as an .asc file in the same location as the firmware and signatures.asc files.

Open a browser and go to . Click on the text next to the key icon to open the public key window. You will need this window for a later step.

🔐
https://gpgtools.org/
https://raw.githubusercontent.com/Coldcard/firmware/master/releases/signatures.txt
signatures.txt
public key 4589779ADFC14F3327534EA8A3A31BAD5A2A5B10
signatures.txt
signatures.txt
Gpg4win (GNU Privacy Guard for Windows)
signatures.txt
signatures.txt
public key 4589779ADFC14F3327534EA8A3A31BAD5A2A5B10
keybase.io/DocHex