verification-windows-beginner.md 11.6 KB
Newer Older
el00ruobuob's avatar
el00ruobuob committed
1
2
{% assign version = '1.1.0' | split: '.' %}
{% include disclaimer.html translated="true" version=page.version %}
3
4
5
6
7
8
Verification of the Monero binary files should be done prior to extracting, installing, or using the Monero software. This is the only way to ensure that you are using the official Monero binary. If you receive a fake binary (eg. phishing, MITM, etc.), following this guide will protect you from being tricked into using it.

To protect the integrity of the binaries the Monero team provides a cryptographically signed list of all the [SHA256](https://en.wikipedia.org/wiki/SHA-2) hashes. If your downloaded binary has been tampered with it will be produce a [different hash](https://en.wikipedia.org/wiki/File_verification) than the one in the file.

This is a beginners guide for the Windows operating system and will make use of GUIs almost exclusively. It will walk you through the process of installing the required software, importing the signing key, downloading the necessary files, and finally verifying that your binary is authentic.

9
10
**Important note:** Even if the text of this guide is updated, the screenshots are still showing the process using Fluffypony's details. Just follow the guide and keep in mind that when a screenshot is showing *fluffypony*, it actually refers to *binaryfate*.

11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
## Table of Contents

### [1. Gpg4win Installer](#1-using-gpg4win-installer)
  - [1.1. Getting Gpg4win Installer](#11-getting-gpg4win-installer)
    + [1.1.1. Download Gpg4win](#111-download-gpg4win)
    + [1.1.2. Launch Gpg4win](#112-launch-gpg4win)
  - [1.2. Use Gpg4win Installer](#12-use-gpg4win-installer)
### [2. Import Signing Key](#2-monero-signing-key)
  - [2.1. Download Signing Key](#21-download-signing-key)
  - [2.2. Initialize Kleopatra](#22-initialize-kleopatra)
    + [2.2.1. Import Signing Key](#221-import-signing-key)
    + [2.2.2. Create Key Pair](#222-create-key-pair)
  - [2.3. Verify Signing Key](#23-verify-signing-key)
### [3. Verify Hash File](#3-hash-file-verification)
  - [3.1. Download Hash File](#31-download-hash-file)
  - [3.2. Verify Hash File](#32-verify-hash-file)
### [4. Verify Binary File](#4-binary-file-verification)
  - [4.1. Download Binary](#41-download-binary)
  - [4.2. Verify Binary](#42-verify-binary)

## 1. Using Gpg4win Installer

This section will cover installing the cryptography software. Windows does not come with the tools required to verify your binary. To install these tools you can use the Gpg4win installer.

### 1.1. Getting Gpg4win Installer

#### 1.1.1. Download Gpg4win

In a web browser, go to [gpg4win.org](https://gpg4win.org) and download the installer by clicking the green button.

![gpg4win download button](png/verify_binary_windows_beginner/verify-win_gpg4win-site-downloadbutton.png)

You will be taken to a donation page. If you do not wish to donate select `$0`, then you will be able to click `Download`.

![gpg4win site donation](png/verify_binary_windows_beginner/verify-win_gpg4win-site-donation.png)

Click `Save File`.

![gpg4win site save file](png/verify_binary_windows_beginner/verify-win_gpg4win-site-savefile.png)

Choose a download location, click `Save`.

![gpg4win site download location](png/verify_binary_windows_beginner/verify-win_gpg4win-site-savefile-location.png)

#### 1.1.2. Launch Gpg4win

When the download is finished, open the containing folder.

![gpg4win site open folder](png/verify_binary_windows_beginner/verify-win_gpg4win-site-savefile-openfolder.png)

Double click the downloaded gpg4win executable to launch.

![gpg4win launch](png/verify_binary_windows_beginner/verify-win_gpg4win-launch.png)

### 1.2. Use Gpg4win Installer

You will be presented with a security verification screen, click `Run`.

![gpg4win installer security](png/verify_binary_windows_beginner/verify-win_gpg4win-install-security.png)

Select your language, click `OK`.

![gpg4win installer language](png/verify_binary_windows_beginner/verify-win_gpg4win-install-language.png)

A welcome screen will appear, click `Next`.

![gpg4win installer welcome](png/verify_binary_windows_beginner/verify-win_gpg4win-install-welcome.png)

Now you will see the component selection screen, you must at least leave `Kleopatra` checked for this guide. Make your selections, click `Next`.

![gpg4win installer components](png/verify_binary_windows_beginner/verify-win_gpg4win-components.png)

It is best to leave the default installation location unless you know what you are doing. Make your selections, click `Install`.

![gpg4win installer location](png/verify_binary_windows_beginner/verify-win_gpg4win-install.png)

Installation has completed, click `Next`.

![gpg4win installer complete](png/verify_binary_windows_beginner/verify-win_gpg4win-install-complete.png)

Click `Finish`.

![gpg4win installer finish](png/verify_binary_windows_beginner/verify-win_gpg4win-install-finish.png)

## 2. Monero Signing Key

This section will cover downloading the Monero signing key, verifying that the key is correct, and then importing the key to your keyring. The hash file that will be used to verify your binary is cryptographically signed with the Monero signing key. In order to check the validity of this file you must have the public version of the signing key.

### 2.1. Download Signing Key

101
In a web browser, go to [binaryFate's GPG key](https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc), which he uses for signing the Monero binaries. Right click on the page, choose `Save Page As`.
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

![getkey right click](png/verify_binary_windows_beginner/verify-win_getkey-rightclick.png)

Leave the default location, click `Save`.

![getkey save file](png/verify_binary_windows_beginner/verify-win_getkey-savefilename.png)

### 2.2. Initialize Kleopatra

If this is your first time using Kleopatra you will have to create a key pair for yourself.

Launch Kleopatra.

![kleo launch](png/verify_binary_windows_beginner/verify-win_kleopatra-launch.png)

#### 2.2.1. Import Signing Key

Click `Import`.

![kleo firstrun import](png/verify_binary_windows_beginner/verify-win_kleopatra-firstrun-importkey.png)

123
Enter the directory `Downloads`, select `binaryfate`, and click `Open`.
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

![kleo firstrun key location](png/verify_binary_windows_beginner/verify-win_kleopatra-firstrun-import-location.png)

Start the process of certifying the key by clicking `Yes`.

![kleo firstrun start process](png/verify_binary_windows_beginner/verify-win_kleopatra-firstrun-startverifyprocess.png)

#### 2.2.2. Create Key Pair

Start the process of key creation by clicking `Yes`.

![kleo firstrun start key create](png/verify_binary_windows_beginner/verify-win_kleopatra-firstrun-createkeysnow.png)

Fill in some details for `Name` and `Email`, click `Next`.

![kleo firstrun key details](png/verify_binary_windows_beginner/verify-win_kleopatra-firstrun-createkeydetails.png)

Verify details, click `Create`.

![kleo firstrun verify key details](png/verify_binary_windows_beginner/verify-win_kleopatra-firstrun-verifykeydetails.png)

Set a password, click `OK`.

![kleo firstrun set key pass](png/verify_binary_windows_beginner/verify-win_kleopatra-firstrun-createkeys-pinentry.png)

Click `Finish`.

![kleo firstrun finish create key](png/verify_binary_windows_beginner/verify-win_kleopatra-firstrun-keycreate-success.png)

### 2.3. Verify Signing Key

Visually check that the fingerprint of the key belonging to Riccardo Spagni is `BDA6BD7042B721C467A9759D7455C5E3C0CDCEB9`.

![kleo certify fingerprint](png/verify_binary_windows_beginner/verify-win_kleopatra-certify-fingerprint.png)

If the fingerprint **DOES** match, click `Next`.

161
If the fingerprint of this key **DOES NOT** match, **DO NOT CONTINUE**. Instead delete the file `binaryfate` from the `Downloads` directory and go back to [section 2.1](#21-download-signing-key).
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180

Leave `Certify only for myself` selected, click `Certify`.

![kleo certify for self](png/verify_binary_windows_beginner/verify-win_kleopatra-certify-forself.png)

Enter your password, click `OK`.

![kleo certify pass](png/verify_binary_windows_beginner/verify-win_kleopatra-certify-pinentry.png)

Click `Finish`.

![kleo certify finish](png/verify_binary_windows_beginner/verify-win_kleopatra-certify-finish.png)

## 3. Hash File Verification

This section will cover downloading the signed file of known good hashes and verifying its authenticity.

### 3.1. Download Hash File

181
In a web browser, go to the [getmonero.org hash page]({{ site.baseurl_root }}/downloads/hashes.txt). Right click the page, select `Save Page As`.
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218

![hashes right click](png/verify_binary_windows_beginner/verify-win_hashes-getmonero-rightclick.png)

Leave the default location, click `Save`.

![hashes save file](png/verify_binary_windows_beginner/verify-win_hashes-getmonero-savename.png)

### 3.2. Verify Hash File

In Kleopatra, click the `Decrypt/Verify` button.

![hashes kleo verify button](png/verify_binary_windows_beginner/verify-win_hashes-kleo-verify-button.png)

Navigate to `Downloads` directory. Select `hashes` file, click `Open`.

![hashes kleo open file](png/verify_binary_windows_beginner/verify-win_hashes-kleo-verify-button-filename.png)

Kleopatra will inform you if the files signature is valid.

If the signature is **VALID** you will see this:

![hashes kleo goodsig](png/verify_binary_windows_beginner/verify-win_hashes-kleo-goodsig.png)

If the signature is **INVALID** you will see this:

![hashes kleo badsig](png/verify_binary_windows_beginner/verify-win_hashes-kleo-badsig.png)

If you receive a **VALID** signature, click `Discard` and move on.

If you receive an **INVALID** signature, **DO NOT CONTINUE.** Instead delete the file `hashes` from the `Downloads` directory and go back to [section 3.1](#31-download-hash-file).

## 4. Binary File Verification

This section will cover downloading the Monero binary and verifying its authenticity.

### 4.1. Download Binary

219
In a web browser, go to the [getmonero.org downloads page]({{ site.baseurl_root }}/downloads/#windows). Select the correct binary for your system.
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255

![binary getmonero](png/verify_binary_windows_beginner/verify-win_binary-getmonero-windowsfiles.png)

Leave `Save File` selected, click `OK`.

![binary getmonero save](png/verify_binary_windows_beginner/verify-win_binary-getmonero-save-file.png)

Leave the default location, click `Save`.

![binary getmonero save location](png/verify_binary_windows_beginner/verify-win_binary-getmonero-save-location.png)

### 4.2. Verify Binary

In a file manager, navigate to `Downloads` directory. Open the file `hashes` with a word processor.

![binary open hashes.txt](png/verify_binary_windows_beginner/verify-win_binary-word-hashfile.png)

Open a terminal (`cmd.exe`).

![binary launch term](png/verify_binary_windows_beginner/verify-win_binary-cmd-launch.png)

Change to the `Downloads` directory with the command: `cd Downloads`.

![binary cmd cd](png/verify_binary_windows_beginner/verify-win_binary-cmd-cd.png)

Calculate the hash of the Monero binary with the command: `certUtil -hashfile monero-gui-win-x64-v0.11.1.0.zip SHA256` (if you downloaded a command-line only version, replace `monero-gui-win-x64-v0.11.1.0.zip` accordingly).

![binary cmd certutil](png/verify_binary_windows_beginner/verify-win_binary-cmd-certutil.png)

Compare the hash from the terminal with the one in the hash file. They should be the same (spaces can be ignored).

![binary compare hashes](png/verify_binary_windows_beginner/verify-win_binary-word-cmd-compare.png)

If your hash **DOES** match then you are finished with verification! You can be sure the Monero files you have are authentic. You may extract and install/use the files normally.

If your hash **DOES NOT** match **DO NOT CONTINUE.** Instead delete the Monero binary from the `Downloads` directory and go back to [section 4.1](#41-download-binary).