pull down to refresh

I have wanted to learn how to verify with software for a while because I have a habit of erasing my laptop from time to time, and I need to make sure I'm backing up EVERYTHING since I'm often on the road exploringโ€”if anything happens, that might be lead to many problems, but I'm the one to be blamed; For example, I had forgotten to backup some articles before, and they are gone, so I need to make sure I'm more antifragile by constantly testing my own backup with erasing.
The second reason is when you are around Bitcoiners so much with all the verifying, you really want to make sure all the software you use is genuine. Also, I've stopped using the Apple Store for a while, downloading software from sites could be risky, even though I do verify the URLs, but you never know! So one of the to-does for me is to learn how to verify software because I need to download again every time. I shared some of the questions I had in the saloon, and @ek patiently wrote this guide on how to verify better, so I'm writing down a more detailed article to help others who also want to learn the art of verifying. ๐Ÿ‘€

Why Verify

I'm not going to focus on the why here, but if you are a Bitcoiner, you know the why - don't trust, verify, especially with all the phishing sites and malicious software these days.
Also, if you think this is way above your head or is not for a normal person, I'm happy to tell you that I don't have any coding skills, but I'm willing to test and learnโ€”so if I can do it, you can too!

What to Verify ( Important! )

When I started dipping my toe into verifying, I didn't know what I should verify at all. ๐Ÿ‘€ but then I read a few docs and followed some of the official guides from the software that I use, and of course, this good piece from @ek; I figured it's actually needed to verify two things when it comes to verifying software:
1. The public key, which is used to sign the software release.
When importing a public key, you should check the fingerprint to verify it's the correct public key and ideally from independent sources, and from more sources, the more trusted.
2. The signatures.
Digital signatures are commonly used to ensure the integrity and authenticity of software. When you verify a digital signature, you make sure that the software was created by the person you trust and think it was created by (authenticity) and that it was not modified (integrity). You usually download the signature from the same location as the software.
explained by @ek
There is also a tricky part: if the signature file name (ASC) does not match the dmg file that you downloaded, you need to do one more step for the checksum verification, which verifies the hashes, and it usually shows in the site too when you need to do this step. ( unfortunately, I'm not that technical being able to explain this, feel free to chip in. )

The Setup

In order to verify, we need to install the tools first, home brew and gnupg ( Or install GPG Suite if you are also using a Mac ) but I recommend using the terminal for more solid learning.
The homebrew is quite easy to install, all you need is to put these codes into the terminal, wait a bit and done ( $ means "run this in terminal" )
1. Install homebrew
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
for better privacy enter brew analytics off
2. Install gnupg
$ brew install gnupg
that's it, you are all set! time to explore the fun. ๐Ÿฅ
Since I'm using a Mac, this experience is based on the Mac system; feel free to pill me other fun!

Learning by Doing

You can't learn swimming from reading, and talking is cheap; I'm going to use two of my favorite Bitcoin desktop wallets as examples for everyone to follow along and do the verification yourself.
For simplicity, we are only using a terminal as practice here.

Practice A. Electrum Wallet

Here is the guide linked to the site on how to verify:
1. Download the Software and the Signature next to it.
Be sure to put both in the same folder, e.g. in the download folder.
2. Check different sources of the fingerprint to verify the signer's public key.
In order to import from PUBLIC KEY BLOCK, run gpg --import copy the block and paste in the terminal and then CTRL+D.
And do one more step, to make sure that you imported the correct key.
$ gpg --fingerprint thomasv
All fingerprints are matched: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6, good!
3. Verify the signed file.
Put these two lines of code into terminal:
$ cd Downloads $ gpg --verify electrum-4.5.3.dmg.asc gpg: assuming signed data in 'electrum-4.5.3.dmg' gpg: Signature made Fri 23 Feb 12:32:06 2024 +03 gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C gpg: Good signature from "Stephan Oeste (it) <it
If you see " gpg: WARNING: This key is not certified with a trusted signature! " which means you didn't mark the public key as trusted, then you can run gpg --edit-key thomasv@electrum.org , enter trust and choose the numbers.
pub rsa4096/2BD5824B7F9470E6 created: 2011-06-15 expires: never usage: SC trust: full validity: unknown sub rsa4096/1A25C4602021CD84 created: 2011-06-15 expires: never usage: E [ unknown] (1). Thomas Voegtlin (https://electrum.org) <thomasv
now run it again. ( from my testing, if you want to make this warning disappear, you need to set the trust to "5 = I trust ultimately." )
And done! safe to install it now.

Practice B. Sparrow Wallet

Here is the Official guide on how to verify.
1. Download the Software, the Manifest Signature, and the Manifest next to it.
Be sure to put all the them in the same folder, e.g. in the download folder.
2.Check different sources of the fingerprint to verify the signer's public key.
And do one more step, to make sure that you imported the correct key.
$ gpg --fingerprint craig
All fingerprints are matching: D4D0 D320 2FC0 6849 A257 B38D E946 1833 4C67 4B40 good!
3. Verify the signed file.
Put these two lines of code into terminal:
$ cd Downloads $ gpg --verify sparrow-1.8.2-manifest.txt.asc gpg: assuming signed data in 'sparrow-1.8.2-manifest.txt' gpg: Signature made Thu Jan 18 13:35:34 2024 +03 gpg: using RSA key D4D0D3202FC06849A257B38DE94618334C674B40 gpg: Good signature from "Craig Raw <craig
You have now verified the signature of the manifest file, which ensures integrity and authenticity of the manifest file - not the binaries!
explained by Sparrow
4. Verify the hashes.
I can see that I need to verify the hashes because the name of the signature file is different from the software, which means need to do one more step; Simply copy and paste this code into terminal: shasum --check sparrow-1.8.2-manifest.txt --ignore-missing
$ shasum --check sparrow-1.8.2-manifest.txt --ignore-missing Sparrow-1.8.2.dmg: OK
And done! safe to install it now.

๐Ÿ•ต๐Ÿผ The Art of Verifying

1. Download the Software and the Signature next to it.
Be sure to put both in the same folder, e.g. in the download folder.
2. Check different sources of the fingerprint to verify the signer's public key.
Good places to look are Github, Keybase, KeyServer, and different socials. Generally, the more sources showing the same key, the more trusted.
3. Verify the signed file.
-- If the signature file name ( asc ) matches the dmg file that you downloaded, then run this:
$ gpg --verify {filename}.asc
-- if the signature file name ( asc ) does not match the dmg file that you downloaded, get the sha256 and additionally run this:
$ cd Downloads
$ echo "{hash} {filename}" | shasum -a 256 -c -
And congrats! now you've learned how to verify two of the best and most important Bitcoin wallets! Feel free to ask if there are any questions or point out any mistakes, as I'm still new in this verifying, and stay tuned for more:)
There's a weakness in this process that many overlook, which can lead to you being exploited, and that is getting all the initial breadcrumbs from one source, be it GitHub or some software's own download website.
If an attacker were to take control of that website, they would replace the actual download, as well as the signature file, as well as upload their own (attacker's) key to keybase, potentially under the name of the original developer (especially if their email was compromised, which is likely the case).
To defend against that, you must verify via a different medium (social media, different website, signed Bitcoin message), ideally dated well before a potential breach, that the real signer's key fingerprint is indeed what the .asc file indicates.
reply
yes, I mentioned this at the end
Check different sources of the fingerprint to verify the signer's public key. Good places to look are Github, Keybase, KeyServer, and different socials. Generally, the more sources showing the same key, the more trusted.
reply
Sorry, since this is not new knowledge to me, I only skimmed the article and missed that bit.
Anyway, I think it's important to emphasize this as so many people just type the verification commands into their computer without thinking what they do and are happy when gpg gives them a thumbs up without understanding ways in which the supply chain may have been compromised.
reply
Great post!
But did you verify your install of homebrew? lol
reply
๐Ÿ‘€ is this the way? #481198
reply
Great post. Very informative.
reply
87 sats \ 2 replies \ @Taft 26 Mar
Also, if you think this is way above your head or is not for a normal person, I'm happy to tell you that I don't have any coding skills, but I'm willing to test and learnโ€”so if I can do it, you can too!
That's a good encouragement for us without coding skills. Thanks for sharing.
reply
me enjoy doing the dirty work to test what's possible. ๐Ÿ‘€
reply
33 sats \ 0 replies \ @Taft 26 Mar
you are doing a great job ๐Ÿ™
reply
79 sats \ 1 reply \ @quark 26 Mar
This is great. I'm not alone. I thought I was the only one verifying :)
reply
I always wanted to learn, but found it hard to find any practical sources to learn from! now I'm also slowly learning other commands and doing things in the terminal, much fun. ๐Ÿ‘€
reply
Thank you so much for another great article.
Just Book marked it and it'll be the one which I will look at while 'veryfyiing'.
reply
and it's really empowering when you know how to verify whatever you have downloaded in the terminal instead of relaying on any Apple or Google store.
reply
Yes, of we want to be one step ahead of these conservative centralized platforms, we need to upskill ourselves with DIY.
reply
instead of wasting time complaining, big YES.
reply
Yes, the right direction is the direction that you make right. So no complaining, just upskill and be your own verifier.
reply
bookmarked
Usualy you find this kind of guide as well in the different github repos.
reply
oh, also one really strange thing is that some software doesn't even mention anywhere that you should verify the download, so just trust. ๐Ÿ˜‚
reply
The more you know the more you don't know ๐Ÿคฆ
reply
yes! but less crowded as you keep leveling up because most people don't really want to do the work, just want to look smart.
reply
69 sats \ 0 replies \ @go 26 Mar
most people don't really want to do the work, just want to look smart.
Instantly quotable ^
reply
43 sats \ 2 replies \ @OT 26 Mar
Thank you!
I like your wallet choices!
reply
Two MUST have wallets:)!
reply
10 sats \ 0 replies \ @OT 26 Mar
They are the correct two
reply
This video is a great explanation about how to verify software with the Sparrow wallet tool.
reply
wow, interesting! but is it means trusting Sparrow this way? ๐Ÿ‘€
cc @ek
reply
I haven't read it yet, but I can already tell it's very detailed. Congratulations on another great post, as usual. Thank's!
reply
stackers coming to comment without verifying the post! ๐Ÿ•ต๐Ÿผ
reply
The fruit of the tree of Million Sat Madness...
reply
Yes:(
learning real skills, having fun maybe even stacking friends, is worth way more than 1M sats...
reply
Gonna go crack open a book now! :)
reply
why is not read my post and start testing ๐Ÿ‘€
reply
I'm a bit hesitant to run the installation script
https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh
Is there a way to verify its authenticity ? ๐Ÿ˜‚
Let's be real, I don't need to install it yet, but I'll be sure to follow the tutorial when I do.
reply
Is there a way to verify its authenticity ? ๐Ÿ˜‚
@ek mentioned this point to me before, but it seems " trust cannot be eliminated, only minimized. "
reply
111 sats \ 1 reply \ @ek fwd 26 Mar
There are multiple ways to verify the authenticity. Authenticity means here that we want to be sure this URL belongs to the homebrew devs that we already trust.1
Ideally, we use all ways as @Natalia mentioned in her post:
ideally from independent sources, and from more sources, the more trusted.
a) check out the Homebrew organization to which this URL belongs to. Is this a legit org? Do they have many stars (which could be bought)? Much activity? No ticket or discussion that says "this is a scam"?
b) Visit the URL and read the code. No red flags like loading something from a totally different domain? (If you can't read code, learn how to read code.)
c) Verify it uses HTTPS. Probably the easiest way and one that people hopefully already do without thinking, so this is something you should ALWAYS do (assuming it's not already done by the software you use): just check if the URL starts with https://. This is important since TLS (HTTPS = HTTP + TLS) is not only about encryption (confidentiality) but also about integrity and authenticity, the "CIA triad":
Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability (also known as the "CIA" triad) while maintaining a focus on efficient policy implementation, all without hampering organization productivity.
-- wikipedia.org, Information security

Footnotes

  1. Authentication basically means to verify you are who you say you are. Btw, even the HTTP spec got this wrong: it uses authorization for authentication. โ†ฉ
ek is right, we can either trust it or manually check the script. But that already requires shell script knowledge. I've done some before, but I'm not 100% comfortable with it.
reply
isn't SN the perfect place to ask and learn? ๐Ÿ‘€๐Ÿ‘€๐Ÿ‘€
Good on you. Very useful topic
I know Sparrow wallet includes a tool for verifying software.
reply
sudo apt-install goes brrrrrrrrrrrrrrrrrrr
reply
3 minutes in, 4 stackers already upvoted you... strategic early voting is important for MSM :)
That being said, looks like a great guide, sats most likely deserved. It'll take me more than 3 minutes to read it though.
reply