verification-allos-advanced.md 7.98 KB
Newer Older
el00ruobuob's avatar
el00ruobuob committed
1
2
{% assign version = '1.1.0' | split: '.' %}
{% include disclaimer.html translated="true" version=page.version %}
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Verification of the Monero binary files should be done prior to extracting, installing, or using the Monero software. This is the only way to ensure that you are using the official Monero software. If you receive a fake Monero binary (eg. phishing, MITM, etc.), following this guide will protect you from being tricked into using it.

To protect the integrity of the binaries the Monero team provides a cryptographically signed list of all the [SHA256](https://en.wikipedia.org/wiki/SHA-2) hashes. If your downloaded binary has been tampered with it will be produce a [different hash](https://en.wikipedia.org/wiki/File_verification) than the one in the file.

This is an advanced guide for Linux, Mac, or Windows operating systems and will make use of the command line. It will walk you through the process of installing the required software, importing the signing key, downloading the necessary files, and finally verifying that your binary is authentic.

## Table of Contents:

### [1. Install GnuPG](#1-installing-gnupg)
### [2. Verify & Import Signing Key](#2-verify-and-import-signing-key)
  + [2.1. Get Signing Key](#21-get-signing-key)
  + [2.2. Verify Signing key](#22-verify-signing-key)
  + [2.3. Import Signing key](#23-import-signing-key)
### [3. Download & Verify Hash File](#3-download-and-verify-hash-file)
  + [3.1. Get Hash File](#31-get-hash-file)
  + [3.2. Verify Hash File](#32-verify-hash-file)
### [4. Download & Verify Binary](#4-download-and-verify-binary)
  + [4.1. Get Monero Binary](#41-get-monero-binary)
  + [4.2. Binary Verification on Linux or Mac](#42-binary-verification-on-linux-or-mac)
  + [4.3. Binary Verification on Windows](#43-binary-verification-on-windows)

## 1. Installing GnuPG

+ On Windows, go to the [Gpg4win download page](https://gpg4win.org/download.html) and follow the instructions for installation.

+ On Mac, go to the [Gpgtools download page](https://gpgtools.org/) and follow the instructions for installation.

+ On Linux, GnuPG is installed by default.

## 2. Verify and Import Signing Key

This section will cover getting the Monero signing key, making sure it is correct, and importing the key to GnuPG.

### 2.1. Get Signing Key

38
On Windows or Mac, go to [binaryFate's GPG key](https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc), which he uses to sign the Monero binaries, and save the page as `binaryfate.asc` to your home directory.
39

40
On Linux, you can download binaryFate's signing key by issuing the following command:
41
42

```
43
wget -O binaryfate.asc https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc
44
45
46
47
```

### 2.2. Verify Signing Key

48
On all operating systems, check the fingerprint of `binaryfate.asc` by issuing the following command in a terminal:
49
50

```
51
gpg --keyid-format long --with-fingerprint binaryfate.asc
52
53
54
55
56
57
```


Verify the fingerprint matches:

```
58
59
60
pub   rsa4096/F0AF4D462A0BDF92 2019-12-12 [SCEA]
      Key fingerprint = 81AC 591F E9C4 B65C 5806  AFC3 F0AF 4D46 2A0B DF92
uid                           binaryFate <[email protected]>
61
62
63
64
```

If the fingerprint **DOES** match, then you may proceed.

65
If the fingerprint **DOES NOT** match, **DO NOT CONTINUE.** Instead delete the file `binaryfate.asc` and go back to [section 2.1](#21-get-signing-key).
66
67
68
69
70
71

### 2.3. Import Signing Key

From a terminal, import the signing key:

```
72
gpg --import binaryfate.asc
73
74
75
76
77
```

If this is the first time you have imported the key, the output will look like this:

```
78
79
gpg: key F0AF4D462A0BDF92: 2 signatures not checked due to missing keys
gpg: key F0AF4D462A0BDF92: public key "binaryFate <[email protected]>" imported
80
81
gpg: Total number processed: 1
gpg:               imported: 1
82
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
83
84
85
86
87
```

If you have imported the key previously, the output will look like this:

```
88
gpg: key F0AF4D462A0BDF92: "binaryFate <[email protected]>" not changed
89
90
91
92
93
94
95
96
97
98
gpg: Total number processed: 1
gpg:              unchanged: 1
```

## 3. Download and Verify Hash File

This section will cover downloading the hash file and verifying its authenticity.

### 3.1. Get Hash File

99
On Windows or Mac, go to the [hashes file on getmonero.org]({{ site.baseurl_root }}/downloads/hashes.txt) and save the page as `hashes.txt` to your home directory.
100
101
102
103

On Linux, you can download the signed hashes file by issuing the following command:

```
104
wget -O hashes.txt {{ site.baseurl_root }}/downloads/hashes.txt
105
106
107
108
```

### 3.2. Verify Hash File

109
The hash file is signed with key `81AC 591F E9C4 B65C 5806  AFC3 F0AF 4D46 2A0B DF92`, as reflected in the output below.
110
111
112
113
114
115
116
117
118
119

On all operating systems, verify the signature of the hash file by issuing the following command in a terminal:

```
gpg --verify hashes.txt
```

If the file is authentic, the output will look like this:

```
120
121
gpg:                using RSA key 81AC591FE9C4B65C5806AFC3F0AF4D462A0BDF92
gpg: Good signature from "binaryFate <[email protected]>" [unknown]
122
123
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
124
Primary key fingerprint: 81AC 591F E9C4 B65C 5806  AFC3 F0AF 4D46 2A0B DF92
125
126
127
128
129
130
131
132
133
134
135
136
```

If your output shows **Good signature**, as in the example, then you may proceed.

If you see **BAD signature** in the output, **DO NOT CONTINUE.** Instead delete the file `hashes.txt` and go back to [section 3.1](#31-get-hash-file).

## 4. Download and Verify Binary

This section will cover downloading the Monero binary for your operating system, getting the `SHA256` hash of your download, and verifying that it is correct.

### 4.1. Get Monero binary

137
On Windows or Mac, go to [getmonero.org]({{ site.baseurl_root }}/downloads/) and download the correct file for your operating system. Save the file to your home directory. **Do not extract the files yet.**
138
139
140
141

On Linux, you can download the command line tools by issuing the following command:

```
142
wget -O monero-linux-x64-v0.15.0.1.tar.bz2 https://downloads.getmonero.org/cli/linux64
143
144
145
146
```

### 4.2. Binary Verification on Linux or Mac

147
The steps for both Linux and Mac are the same. From a terminal, get the `SHA256` hash of your downloaded Monero binary. As an example this guide will use the `Linux, 64bit` GUI binary. Substitute `monero-gui-linux-x64-v0.15.0.1.tar.bz2` with the name of the binary that you downloaded in [section 4.1](#41-get-monero-binary).
148
149

```
150
shasum -a 256 monero-linux-x64-v0.15.0.1.tar.bz2
151
152
153
154
155
```

The output will look like this, but will be different for each binary file. Your `SHA256` hash should match the one listed in the `hashes.txt` file for your binary file.

```
156
8d61f992a7e2dbc3d753470b4928b5bb9134ea14cf6f2973ba11d1600c0ce9ad  monero-linux-x64-v0.15.0.1.tar.bz2
157
158
159
160
161
162
163
164
```

If your hash **DOES** match, then you are finished with the guide! You can extract the files and install.

If your hash **DOES NOT** match, **DO NOT CONTINUE.** Instead delete the binary you downloaded and go back to [section 4.1](#41-get-monero-binary).

### 4.3. Binary Verification on Windows

165
From a terminal, get the `SHA256` hash of your downloaded Monero binary. As an example this guide will use the `Windows, 64bit` GUI binary. Substitute `monero-gui-win-x64-v0.15.0.1.zip` with the name of the binary that you downloaded in [section 4.1](#41-get-monero-binary).
166
167

```
168
certUtil -hashfile monero-gui-win-x64-v0.15.0.1.zip SHA256
169
170
171
172
173
174
175
176
177
178
179
180
```
The output will look like this, but will be different for each binary file. Your `SHA256` hash should match the one listed in the `hashes.txt` file for your binary file.

```
SHA256 hash of file monero-gui-win-x64-v0.12.0.0.zip:
4b 9f 31 68 6e ca ad 97 cd b1 75 e6 57 4b f3 07 f8 d1 c4 10 42 78 25 f4 30 4c 21 da 8a ac 18 64
CertUtil: -hashfile command completed successfully.
```

If your hash **DOES** match, then you are finished with the guide! You can extract the files and install.

If your hash **DOES NOT** match, **DO NOT CONTINUE.** Instead delete the binary you downloaded and go back to [section 4.1](#41-get-monero-binary).