Verifying the Firmware

For Mac users

Confirming the Hash

  1. 1.
    You will need to download https://gpgtools.org/ in order to complete the PGP signature verification.
  2. 3.
    Open the Terminal, navigate to the directory where you saved the firmware and use the command shasum -a256 20...-coldcard.dfu and hit the 'Enter' key on your keyboard.
    • The file should be in your downloads folder, so type cd downloads in the Terminal in order to go to that directory.
    • The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.
  3. 4.
    Compare the result in your Terminal with the line of text in the signatures.txt file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md line).
The hash is confirmed if the values are the same.

Verifying the PGP Signature

  1. 1.
    Save the signatures.txt file in the same location as the new firmware file.
    • This should be in the 'Downloads' folder.
    • To save it, right click on the page and select 'Save page as'.
  2. 2.
    Save the public key 4589779ADFC14F3327534EA8A3A31BAD5A2A5B10 as a .txt file in the same location as the firmware and signatures.txt files.
    • To save it, right click on the page and select 'Save page as'.
  3. 3.
    Open GPG Keychain.
  4. 4.
    Click the Import button and navigate to the file saved in step 2 called lookup. Select the file and click Open. A pop-up message should appear saying "Import successful".
    • You will have the fingerprint from Peter D. Gray
  5. 5.
    Open Terminal and make sure you are in the correct directory by typing cd downloads
  6. 6.
    Enter gpg --verify signatures.txt in the Terminal.
  7. 7.
    The output in Terminal should include Good signature from...and should include the following RSA key : 4589 779A DFC1 4F33 2753 4EA8 A3A3 1BAD 5A2A 5B10
It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.You can ignore this, the signature has been verified!

For Linux Users

Confirming the Hash

  1. 1.
    Open signatures.txt so you can view its contents.
  2. 2.
    Use the command line to navigate to the directory where you saved the firmware and enter the command sha256sum 20...-coldcard.dfu.
    • The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.
  3. 3.
    Compare the result in your Terminal with the line of text in the signatures.txt file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md line).
    The hash is confirmed if the values are the same.

Verifying the PGP Signature

  1. 1.
    Save the signatures.txt file in the same location as the new firmware file.
  2. 2.
    On the command line, enter curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xA3A31BAD5A2A5B10" | gpg --import to import the public key.
  3. 3.
    Next, enter gpg --verify signatures.txt to verify the file's signature versus its content.
  4. 4.
    The command output should include Good signature from....
It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.You can ignore this, the signature has been verified!

For Windows Users

These instructions use Kleopatra, which is a part of Gpg4win (GNU Privacy Guard for Windows). You only need the GnuPG Privacy Guard and Kleopatra components to verify the PGP signature.
Kleopatra requires you to have an OpenPGP signature to complete verification. If you don't have a signature to import, you can make one in Kleopatra.

Confirming the Hash

  1. 1.
    Open signatures.txt so you can view its contents.
  2. 2.
    Open Command Prompt and enter certutil -hashfile C:\..\20...-coldcard.dfu SHA256, where C:\..\20...-coldcard.dfu is the full path to the saved firmware file.
    • The 20...-coldcard.dfu component is the name of the latest upgrade, make sure to enter the name of the file in full.
  3. 3.
    Compare the output values in Command Prompt with the line of text in the signatures.txt file next to the firmware version you saved. The hash is confirmed if the values are the same.
The hash is confirmed if the values are the same.

Verifying the PGP Signature

  1. 1.
    Save the text from signatures.txt with an .asc file extension in the same location as the saved firmware file. Do not save the file as .txt, Kleopatra will not recognize it.
  2. 2.
    Save the public key 4589779ADFC14F3327534EA8A3A31BAD5A2A5B10 as an .asc file in the same location as the firmware and signatures.asc files.
  3. 3.
    Open a browser and go to keybase.io/DocHex. Click on the text next to the key icon to open the public key window. You will need this window for a later step.
  4. 4.
    Open Kleopatra and click Import....
  5. 5.
    Navigate to the public key .asc file and open it.
  6. 6.
    You will be asked to check the fingerprint of the file and given suggested options. The Keybase public key window is the trusted website. Click Yes.
  7. 7.
    A Certify Certificate window will show the file's fingerprint, your certification, and the fingerprint's owner - in this case, Peter D. Gray. Resize or reposition the Certify Certificate window and the browser window opened in step 3 so you can see them both at the same time.
  8. 8.
    Make sure the fingerprints in each window match and click Certify. If you have a passphrase on your certificate, you'll be asked to enter it. A pop-up box should appear saying, "Certification successful." Click Ok.
  9. 9.
    Click Decrypt/Verify... and open signatures.asc.
  10. 10.
    Kleopatra will verify the signature. You may save or discard the file Kleopatra generates, it is not needed.
The signature is verified.