You will need to download https://gpgtools.org/ in order to complete the PGP signature verification.
Open https://raw.githubusercontent.com/Coldcard/firmware/master/releases/signatures.txt to view its contents.
Open the Terminal, navigate to the directory where you saved the firmware and use the command shasum -a256 20...-coldcard.dfu
and hit the 'Enter' key on your keyboard.
The file should be in your downloads folder, so type cd downloads
in the Terminal in order to go to that directory.
The 20...-coldcard.dfu
component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the result in your Terminal with the line of text in the signatures.txt
file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md
line).
The hash is confirmed if the values are the same.
Save the signatures.txt file in the same location as the new firmware file.
This should be in the 'Downloads' folder.
To save it, right click on the page and select 'Save page as'.
Save the public key 4589779ADFC14F3327534EA8A3A31BAD5A2A5B10
as a .txt
file in the same location as the firmware and signatures.txt
files.
To save it, right click on the page and select 'Save page as'.
Open GPG Keychain.
Click the Import button and navigate to the file saved in step 2 called lookup
. Select the file and click Open. A pop-up message should appear saying "Import successful".
You will have the fingerprint from Peter D. Gray
Open Terminal and make sure you are in the correct directory by typing cd downloads
Enter gpg --verify signatures.txt
in the Terminal.
The output in Terminal should include Good signature from...
and should include the following RSA key : 4589 779A DFC1 4F33 2753 4EA8 A3A3 1BAD 5A2A 5B10
It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
You can ignore this, the signature has been verified!
Open signatures.txt so you can view its contents.
Use the command line to navigate to the directory where you saved the firmware and enter the command sha256sum 20...-coldcard.dfu
.
The 20...-coldcard.dfu
component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the result in your Terminal with the line of text in the signatures.txt
file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md
line).
The hash is confirmed if the values are the same.
Save the signatures.txt file in the same location as the new firmware file.
On the command line, enter curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xA3A31BAD5A2A5B10" | gpg --import
to import the public key.
Next, enter gpg --verify signatures.txt
to verify the file's signature versus its content.
The command output should include Good signature from...
.
It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
You can ignore this, the signature has been verified!
These instructions use Kleopatra, which is a part of Gpg4win (GNU Privacy Guard for Windows). You only need the GnuPG Privacy Guard and Kleopatra components to verify the PGP signature.
Kleopatra requires you to have an OpenPGP signature to complete verification. If you don't have a signature to import, you can make one in Kleopatra.
Open signatures.txt so you can view its contents.
Open Command Prompt and enter certutil -hashfile C:\..\20...-coldcard.dfu SHA256
, where C:\..\20...-coldcard.dfu
is the full path to the saved firmware file.
The 20...-coldcard.dfu
component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the output values in Command Prompt with the line of text in the signatures.txt
file next to the firmware version you saved. The hash is confirmed if the values are the same.
The hash is confirmed if the values are the same.
Save the text from signatures.txt with an .asc
file extension in the same location as the saved firmware file. Do not save the file as .txt
, Kleopatra will not recognize it.
Save the public key 4589779ADFC14F3327534EA8A3A31BAD5A2A5B10
as an .asc
file in the same location as the firmware and signatures.asc
files.
Open a browser and go to keybase.io/DocHex. Click on the text next to the key icon to open the public key window. You will need this window for a later step.
Open Kleopatra and click Import...
.
Navigate to the public key .asc
file and open it.
You will be asked to check the fingerprint of the file and given suggested options. The Keybase public key window is the trusted website. Click Yes
.
A Certify Certificate window will show the file's fingerprint, your certification, and the fingerprint's owner - in this case, Peter D. Gray. Resize or reposition the Certify Certificate window and the browser window opened in step 3 so you can see them both at the same time.
Make sure the fingerprints in each window match and click Certify
. If you have a passphrase on your certificate, you'll be asked to enter it. A pop-up box should appear saying, "Certification successful." Click Ok
.
Click Decrypt/Verify...
and open signatures.asc
.
Kleopatra will verify the signature. You may save or discard the file Kleopatra generates, it is not needed.
The signature is verified.