Add advanced binary verification guide
+ Add verification-allos-advanced.md to all langs/~~template~~ + Modify index.md of user-guides in all langs/~~template~~
... | ... | @@ -21,7 +21,7 @@ global: |
privacy: Privacy | ||
copyright: Copyright | ||
untranslated: This page is not yet translated. If you would like to help translate it, please see the | ||
titles: | ||
index: Home | ||
whatismonero: What is Monero (XMR)? | ||
... | ... | @@ -54,10 +54,10 @@ titles: |
ffs-ot: Open Tasks | ||
ffs-wip: Work in Progress | ||
blogbytag: Blog by Tag | ||
index: | ||
page_title: "Monero - secure, private, untraceable" | ||
home: | ||
translated: "yes" | ||
heading2: Private Digital Currency | ||
... | ... | @@ -105,15 +105,15 @@ hangouts: |
merchants: | ||
translated: "yes" | ||
intro1: Merchants of all kinds have come to value the financial privacy that Monero brings. Below is a list of the merchants that we know of that currently accept Monero for their goods and services. If a company no longer accepts Monero or you would like your business to be listed, please | ||
intro1: Merchants of all kinds have come to value the financial privacy that Monero brings. Below is a list of the merchants that we know of that currently accept Monero for their goods and services. If a company no longer accepts Monero or you would like your business to be listed, please | ||
intro2: open a GitHub issue and let us know. | ||
disclaimer: | | ||
"Please note: these links are being provided as a convenience and for informational purposes only; they do not constitute an endorsement by the Monero community of any products, services or opinions of the corporations or organizations or individuals listed. The Monero community bears no responsibility for the accuracy, legality, or content of these external sites. Contact the external site for answers to questions regarding its content. As always, caveat emptor ('buyer beware'); you are responsible for doing your own research. Always use judgement when making online purchases." | ||
sponsorships: | ||
translated: "yes" | ||
intro: The following businesses have supported the Monero Project in its goal to bring financial privacy to the world. We couldn't be more grateful for their contributions. If you would like to sponsor the Monero Project and be listed on this page, please send an email to [email protected] | ||
team: | ||
translated: "yes" | ||
core: Core | ||
... | ... | @@ -131,7 +131,7 @@ downloads: |
sourceblockchain: Source & Blockchain | ||
mobilelight: Mobile & Light | ||
hardware: Hardware | ||
intro1: If you need help choosing the correct application, please click | ||
intro1: If you need help choosing the correct application, please click | ||
intro2: here | ||
intro3: for a quick answer, then select the appropriate release for your operating system below. | ||
note1: "Note: the SHA256 hashes are listed by the downloads for convenience, but a GPG-signed list of the hashes is at" | ||
... | ... | @@ -159,7 +159,7 @@ monero-project: |
press-kit: | ||
translated: "yes" | ||
intro1: Here you'll find the Monero symbol and logo below. You can choose any size that you want, or download the .ai file to mess with the logo yourself. | ||
intro1: Here you'll find the Monero symbol and logo below. You can choose any size that you want, or download the .ai file to mess with the logo yourself. | ||
intro2: Note that the white background options have a white background under the Monero symbol ONLY, not as a background to the whole image. | ||
intro3: Lastly, you can download everything on this page in one zip file by clicking | ||
intro4: here. | ||
... | ... | @@ -352,8 +352,8 @@ about: |
privacy_para: Monero takes privacy seriously. Monero needs to be able to protect users in a court of law and, in extreme cases, from the death penalty. This level of privacy must be completely accessible to all users, whether they are technologically competent or have no idea how Monero works. A user needs to confidently trust Monero in a way that this person does not feel pressured into changing their spending habits for risk of others finding out. | ||
decentralization: Decentralization | ||
decentralization_para: Monero is committed to providing the maximum amount of decentralization. With Monero, you do not have to trust anyone else on the network, and it is not run by any large group. An accessible “Proof of Work” algorithm makes it easy to mine Monero on normal computers, which makes it more difficult for someone to purchase a large amount of mining power. Nodes connect to each other with I2P to lower the risks of revealing sensitive transaction information and censorship (tba). Development decisions are extremely clear and open to public discussion. Developer meeting logs are published online in their entirety and visible by all. | ||
developer-guides: | ||
translated: "yes" | ||
outdated: "Please note: the guides below are currently out of date, but are considered a good starting point for most calls." | ||
... | ... | @@ -373,6 +373,7 @@ user-guides: |
import-blockchain: Importing the Monero blockchain | ||
monero-tools: Monero Tools | ||
purchasing-storing: Securely purchasing and storing Monero | ||
verify-allos: Verify binaries on Linux, Mac, or Windows command line (advanced) | ||
verify-windows: Verify binaries on Windows (beginner) | ||
mine-on-pool: How to mine on a pool with xmr-stak-cpu | ||
solo-mine: How to solo mine with the GUI | ||
... | ... | @@ -418,7 +419,7 @@ research-lab: |
annotated_para: The Monero Research Lab released an annotated version of the cryptonote whitepaper. This is sort of like an informal review of the claims that are made line-by-line of the whitepaper. It also explains some of the harder concepts in relatively easy to understand terms. | ||
brandon: Brandon Goodell's Whitepaper Review | ||
brandon_para: This paper is a formal review of the original cryptonote paper by MRL researcher Brandon Goodell. He takes an in-depth look at the claims and mathematics presented in the cryptonote paper. | ||
blog: | ||
title_1: All | ||
... | ... | @@ -428,7 +429,7 @@ blog: |
author: Posted by | ||
date: Posted at | ||
forum: Click here to join the discussion for this entry on the Monero Forum | ||
tags: | ||
all: Articles by Tag | ||
notags: There are no posts for this tag. |
# Binary Verification: Linux, Mac, or Windows Using CLI Tools (Advanced) | ||
Verification of the Monero binary files should be done prior to extracting, installing, or using the Monero software. This is the only way to ensure that you are using the official Monero software. If you receive a fake Monero binary (eg. phishing, MITM, etc.), following this guide will protect you from being tricked into using it. | ||
To protect the integrity of the binaries the Monero team provides a cryptographically signed list of all the [SHA256](https://en.wikipedia.org/wiki/SHA-2) hashes. If your downloaded binary has been tampered with it will be produce a [different hash](https://en.wikipedia.org/wiki/File_verification) than the one in the file. | ||
This is an advanced guide for Linux, Mac, or Windows operating systems and will make use of the command line. It will walk you through the process of installing the required software, importing the signing key, downloading the necessary files, and finally verifying that your binary is authentic. | ||
## Table of Contents: | ||
### [1. Install GnuPG](#1-installing-gnupg) | ||
### [2. Verify & Import Signing Key](#2-verify-and-import-signing-key) | ||
+ [2.1. Get Signing Key](#21-get-signing-key) | ||
+ [2.2. Verify Signing key](#22-verify-signing-key) | ||
+ [2.3. Import Signing key](#23-import-signing-key) | ||
### [3. Download & Verify Hash File](#3-download-and-verify-hash-file) | ||
+ [3.1. Get Hash File](#31-get-hash-file) | ||
+ [3.2. Verify Hash File](#32-verify-hash-file) | ||
### [4. Download & Verify Binary](#4-download-and-verify-binary) | ||
+ [4.1. Get Monero Binary](#41-get-monero-binary) | ||
+ [4.2. Binary Verification on Linux or Mac](#42-binary-verification-on-linux-or-mac) | ||
+ [4.3. Binary Verification on Windows](#43-binary-verification-on-windows) | ||
## 1. Installing GnuPG | ||
+ On Windows, go to the [Gpg4win download page](https://gpg4win.org/download.html) and follow the instructions for installation. | ||
+ On Mac, go to the [Gpgtools download page](https://gpgtools.org/) and follow the instructions for installation. | ||
+ On Linux, GnuPG is installed by default. | ||
## 2. Verify and Import Signing Key | ||
This section will cover getting the Monero signing key, making sure it is correct, and importing the key to GnuPG. | ||
### 2.1. Get Signing Key | ||
On Windows or Mac, go to [Fluffypony's GPG key](https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/fluffypony.asc), which he uses to sign the Monero binaries, and save the page as `fluffypony.asc` to your home directory. | ||
On Linux, you can download Fluffypony's signing key by issuing the following command: | ||
``` | ||
wget -O fluffypony.asc https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/fluffypony.asc | ||
``` | ||
### 2.2. Verify Signing Key | ||
On all operating systems, check the fingerprint of `fluffypony.asc` by issuing the following command in a terminal: | ||
``` | ||
gpg --keyid-format long --with-fingerprint fluffypony.asc | ||
``` | ||
Verify the fingerprint matches: | ||
``` | ||
pub 2048R/7455C5E3C0CDCEB9 2013-04-08 Riccardo Spagni <[email protected]> | ||
Key fingerprint = BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9 | ||
sub 2048R/55432DF31CCD4FCD 2013-04-08 | ||
``` | ||
If the fingerprint **DOES** match, then you may proceed. | ||
If the fingerprint **DOES NOT** match, **DO NOT CONTINUE.** Instead delete the file `fluffypony.asc` and go back to [section 2.1](#21-get-signing-key). | ||
### 2.3. Import Signing Key | ||
From a terminal, import the signing key: | ||
``` | ||
gpg --import fluffypony.asc | ||
``` | ||
If this is the first time you have imported the key, the output will look like this: | ||
``` | ||
gpg: key 0x7455C5E3C0CDCEB9: 2 signatures not checked due to missing keys | ||
gpg: key 0x7455C5E3C0CDCEB9: public key "Riccardo Spagni <[email protected]>" importe | ||
d | ||
gpg: Total number processed: 1 | ||
gpg: imported: 1 | ||
gpg: no ultimately trusted keys found | ||
``` | ||
If you have imported the key previously, the output will look like this: | ||
``` | ||
gpg: key 0x7455C5E3C0CDCEB9: "Riccardo Spagni <[email protected]>" not changed | ||
gpg: Total number processed: 1 | ||
gpg: unchanged: 1 | ||
``` | ||
## 3. Download and Verify Hash File | ||
This section will cover downloading the hash file and verifying its authenticity. | ||
### 3.1. Get Hash File | ||
On Windows or Mac, go to the [hashes file on getmonero.org](https://getmonero.org/downloads/hashes.txt) and save the page as `hashes.txt` to your home directory. | ||
On Linux, you can download the signed hashes file by issuing the following command: | ||
``` | ||
wget -O hashes.txt https://getmonero.org/downloads/hashes.txt | ||
``` | ||
### 3.2. Verify Hash File | ||
The hash file is signed with key `94B7 38DD 3501 32F5 ACBE EA1D 5543 2DF3 1CCD 4FCD`, which is a subkey of key `BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9` (as reflected in the output below). | ||
On all operating systems, verify the signature of the hash file by issuing the following command in a terminal: | ||
``` | ||
gpg --verify hashes.txt | ||
``` | ||
If the file is authentic, the output will look like this: | ||
``` | ||
gpg: Signature made Thu 05 Apr 2018 06:07:35 AM MDT | ||
gpg: using RSA key 94B738DD350132F5ACBEEA1D55432DF31CCD4FCD | ||
gpg: Good signature from "Riccardo Spagni <[email protected]>" [unknown] | ||
gpg: WARNING: This key is not certified with a trusted signature! | ||
gpg: There is no indication that the signature belongs to the owner. | ||
Primary key fingerprint: BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9 | ||
Subkey fingerprint: 94B7 38DD 3501 32F5 ACBE EA1D 5543 2DF3 1CCD 4FCD | ||
``` | ||
If your output shows **Good signature**, as in the example, then you may proceed. | ||
If you see **BAD signature** in the output, **DO NOT CONTINUE.** Instead delete the file `hashes.txt` and go back to [section 3.1](#31-get-hash-file). | ||
## 4. Download and Verify Binary | ||
This section will cover downloading the Monero binary for your operating system, getting the `SHA256` hash of your download, and verifying that it is correct. | ||
### 4.1. Get Monero binary | ||
On Windows or Mac, go to [getmonero.org](https://getmonero.org/downloads/) and download the correct file for your operating system. Save the file to your home directory. **Do not extract the files yet.** | ||
On Linux, you can download the command line tools by issuing the following command: | ||
``` | ||
wget -O monero-linux-x64-v0.12.0.0.tar.bz2 https://downloads.getmonero.org/cli/linux64 | ||
``` | ||
### 4.2. Binary Verification on Linux or Mac | ||
The steps for both Linux and Mac are the same. From a terminal, get the `SHA256` hash of your downloaded Monero binary. As an example this guide will use the `Linux, 64bit` GUI binary. Substitute `monero-gui-linux-x64-v0.12.0.0.tar.bz2` with the name of the binary that you downloaded in [section 4.1](#41-get-monero-binary). | ||
``` | ||
shasum -a 256 monero-gui-linux-x64-v0.12.0.0.tar.bz2 | ||
``` | ||
The output will look like this, but will be different for each binary file. Your `SHA256` hash should match the one listed in the `hashes.txt` file for your binary file. | ||
``` | ||
fb0f43387b31202f381c918660d9bc32a3d28a4733d391b1625a0e15737c5388 monero-gui-linux-x64-v0.12.0.0.tar.bz2 | ||
``` | ||
If your hash **DOES** match, then you are finished with the guide! You can extract the files and install. | ||
If your hash **DOES NOT** match, **DO NOT CONTINUE.** Instead delete the binary you downloaded and go back to [section 4.1](#41-get-monero-binary). | ||
### 4.3. Binary Verification on Windows | ||
From a terminal, get the `SHA256` hash of your downloaded Monero binary. As an example this guide will use the `Windows, 64bit` GUI binary. Substitute `monero-gui-win-x64-v0.12.0.0.zip` with the name of the binary that you downloaded in [section 4.1](#41-get-monero-binary). | ||
``` | ||
certUtil -hashfile monero-gui-win-x64-v0.12.0.0.zip SHA256 | ||
``` | ||
The output will look like this, but will be different for each binary file. Your `SHA256` hash should match the one listed in the `hashes.txt` file for your binary file. | ||
``` | ||
SHA256 hash of file monero-gui-win-x64-v0.12.0.0.zip: | ||
4b 9f 31 68 6e ca ad 97 cd b1 75 e6 57 4b f3 07 f8 d1 c4 10 42 78 25 f4 30 4c 21 da 8a ac 18 64 | ||
CertUtil: -hashfile command completed successfully. | ||
``` | ||
If your hash **DOES** match, then you are finished with the guide! You can extract the files and install. | ||
If your hash **DOES NOT** match, **DO NOT CONTINUE.** Instead delete the binary you downloaded and go back to [section 4.1](#41-get-monero-binary). |
{% include untranslated.html %} | ||
# Binary Verification: Linux, Mac, or Windows Using CLI Tools (Advanced) | ||
Verification of the Monero binary files should be done prior to extracting, installing, or using the Monero software. This is the only way to ensure that you are using the official Monero software. If you receive a fake Monero binary (eg. phishing, MITM, etc.), following this guide will protect you from being tricked into using it. | ||
To protect the integrity of the binaries the Monero team provides a cryptographically signed list of all the [SHA256](https://en.wikipedia.org/wiki/SHA-2) hashes. If your downloaded binary has been tampered with it will be produce a [different hash](https://en.wikipedia.org/wiki/File_verification) than the one in the file. | ||
This is an advanced guide for Linux, Mac, or Windows operating systems and will make use of the command line. It will walk you through the process of installing the required software, importing the signing key, downloading the necessary files, and finally verifying that your binary is authentic. | ||
## Table of Contents: | ||
### [1. Install GnuPG](#1-installing-gnupg) | ||
### [2. Verify & Import Signing Key](#2-verify-and-import-signing-key) | ||
+ [2.1. Get Signing Key](#21-get-signing-key) | ||
+ [2.2. Verify Signing key](#22-verify-signing-key) | ||
+ [2.3. Import Signing key](#23-import-signing-key) | ||
### [3. Download & Verify Hash File](#3-download-and-verify-hash-file) | ||
+ [3.1. Get Hash File](#31-get-hash-file) | ||
+ [3.2. Verify Hash File](#32-verify-hash-file) | ||
### [4. Download & Verify Binary](#4-download-and-verify-binary) | ||
+ [4.1. Get Monero Binary](#41-get-monero-binary) | ||
+ [4.2. Binary Verification on Linux or Mac](#42-binary-verification-on-linux-or-mac) | ||
+ [4.3. Binary Verification on Windows](#43-binary-verification-on-windows) | ||
## 1. Installing GnuPG | ||
+ On Windows, go to the [Gpg4win download page](https://gpg4win.org/download.html) and follow the instructions for installation. | ||
+ On Mac, go to the [Gpgtools download page](https://gpgtools.org/) and follow the instructions for installation. | ||
+ On Linux, GnuPG is installed by default. | ||
## 2. Verify and Import Signing Key | ||
This section will cover getting the Monero signing key, making sure it is correct, and importing the key to GnuPG. | ||
### 2.1. Get Signing Key | ||
On Windows or Mac, go to [Fluffypony's GPG key](https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/fluffypony.asc), which he uses to sign the Monero binaries, and save the page as `fluffypony.asc` to your home directory. | ||
On Linux, you can download Fluffypony's signing key by issuing the following command: | ||
``` | ||
wget -O fluffypony.asc https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/fluffypony.asc | ||
``` | ||
### 2.2. Verify Signing Key | ||
On all operating systems, check the fingerprint of `fluffypony.asc` by issuing the following command in a terminal: | ||
``` | ||
gpg --keyid-format long --with-fingerprint fluffypony.asc | ||
``` | ||
Verify the fingerprint matches: | ||
``` | ||
pub 2048R/7455C5E3C0CDCEB9 2013-04-08 Riccardo Spagni <[email protected]> | ||
Key fingerprint = BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9 | ||
sub 2048R/55432DF31CCD4FCD 2013-04-08 | ||
``` | ||
If the fingerprint **DOES** match, then you may proceed. | ||
If the fingerprint **DOES NOT** match, **DO NOT CONTINUE.** Instead delete the file `fluffypony.asc` and go back to [section 2.1](#21-get-signing-key). | ||
### 2.3. Import Signing Key | ||
From a terminal, import the signing key: | ||
``` | ||
gpg --import fluffypony.asc | ||
``` | ||
If this is the first time you have imported the key, the output will look like this: | ||
``` | ||
gpg: key 0x7455C5E3C0CDCEB9: 2 signatures not checked due to missing keys | ||
gpg: key 0x7455C5E3C0CDCEB9: public key "Riccardo Spagni <[email protected]>" importe | ||
d | ||
gpg: Total number processed: 1 | ||
gpg: imported: 1 | ||
gpg: no ultimately trusted keys found | ||
``` | ||
If you have imported the key previously, the output will look like this: | ||
``` | ||
gpg: key 0x7455C5E3C0CDCEB9: "Riccardo Spagni <[email protected]>" not changed | ||
gpg: Total number processed: 1 | ||
gpg: unchanged: 1 | ||
``` | ||
## 3. Download and Verify Hash File | ||
This section will cover downloading the hash file and verifying its authenticity. | ||
### 3.1. Get Hash File | ||
On Windows or Mac, go to the [hashes file on getmonero.org](https://getmonero.org/downloads/hashes.txt) and save the page as `hashes.txt` to your home directory. | ||
On Linux, you can download the signed hashes file by issuing the following command: | ||
``` | ||
wget -O hashes.txt https://getmonero.org/downloads/hashes.txt | ||
``` | ||
### 3.2. Verify Hash File | ||
The hash file is signed with key `94B7 38DD 3501 32F5 ACBE EA1D 5543 2DF3 1CCD 4FCD`, which is a subkey of key `BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9` (as reflected in the output below). | ||
On all operating systems, verify the signature of the hash file by issuing the following command in a terminal: | ||
``` | ||
gpg --verify hashes.txt | ||
``` | ||
If the file is authentic, the output will look like this: | ||
``` | ||
gpg: Signature made Thu 05 Apr 2018 06:07:35 AM MDT | ||
gpg: using RSA key 94B738DD350132F5ACBEEA1D55432DF31CCD4FCD | ||
gpg: Good signature from "Riccardo Spagni <[email protected]>" [unknown] | ||
gpg: WARNING: This key is not certified with a trusted signature! | ||
gpg: There is no indication that the signature belongs to the owner. | ||
Primary key fingerprint: BDA6 BD70 42B7 21C4 67A9 759D 7455 C5E3 C0CD CEB9 | ||
Subkey fingerprint: 94B7 38DD 3501 32F5 ACBE EA1D 5543 2DF3 1CCD 4FCD | ||
``` | ||
If your output shows **Good signature**, as in the example, then you may proceed. | ||
If you see **BAD signature** in the output, **DO NOT CONTINUE.** Instead delete the file `hashes.txt` and go back to [section 3.1](#31-get-hash-file). | ||
## 4. Download and Verify Binary | ||
This section will cover downloading the Monero binary for your operating system, getting the `SHA256` hash of your download, and verifying that it is correct. | ||
### 4.1. Get Monero binary | ||
On Windows or Mac, go to [getmonero.org](https://getmonero.org/downloads/) and download the correct file for your operating system. Save the file to your home directory. **Do not extract the files yet.** | ||
On Linux, you can download the command line tools by issuing the following command: | ||
``` | ||
wget -O monero-linux-x64-v0.12.0.0.tar.bz2 https://downloads.getmonero.org/cli/linux64 | ||
``` | ||
### 4.2. Binary Verification on Linux or Mac | ||
The steps for both Linux and Mac are the same. From a terminal, get the `SHA256` hash of your downloaded Monero binary. As an example this guide will use the `Linux, 64bit` GUI binary. Substitute `monero-gui-linux-x64-v0.12.0.0.tar.bz2` with the name of the binary that you downloaded in [section 4.1](#41-get-monero-binary). | ||
``` | ||
shasum -a 256 monero-gui-linux-x64-v0.12.0.0.tar.bz2 | ||
``` | ||
The output will look like this, but will be different for each binary file. Your `SHA256` hash should match the one listed in the `hashes.txt` file for your binary file. | ||
``` | ||
fb0f43387b31202f381c918660d9bc32a3d28a4733d391b1625a0e15737c5388 monero-gui-linux-x64-v0.12.0.0.tar.bz2 | ||
``` | ||
If your hash **DOES** match, then you are finished with the guide! You can extract the files and install. | ||
If your hash **DOES NOT** match, **DO NOT CONTINUE.** Instead delete the binary you downloaded and go back to [section 4.1](#41-get-monero-binary). | ||
### 4.3. Binary Verification on Windows | ||
From a terminal, get the `SHA256` hash of your downloaded Monero binary. As an example this guide will use the `Windows, 64bit` GUI binary. Substitute `monero-gui-win-x64-v0.12.0.0.zip` with the name of the binary that you downloaded in [section 4.1](#41-get-monero-binary). | ||
``` | ||
certUtil -hashfile monero-gui-win-x64-v0.12.0.0.zip SHA256 | ||
``` | ||
The output will look like this, but will be different for each binary file. Your `SHA256` hash should match the one listed in the `hashes.txt` file for your binary file. | ||
``` | ||
SHA256 hash of file monero-gui-win-x64-v0.12.0.0.zip: | ||
4b 9f 31 68 6e ca ad 97 cd b1 75 e6 57 4b f3 07 f8 d1 c4 10 42 78 25 f4 30 4c 21 da 8a ac 18 64 | ||
CertUtil: -hashfile command completed successfully. | ||
``` | ||
If your hash **DOES** match, then you are finished with the guide! You can extract the files and install. | ||
If your hash **DOES NOT** match, **DO NOT CONTINUE.** Instead delete the binary you downloaded and go back to [section 4.1](#41-get-monero-binary). |