Verifying Files with GPG/PGP Signatures
In this example we are going to verify the code for the Wasabi Wallet which is a bitcoin wallet that provides more private bitcoin transactions using the implementation of CoinJoin. The following method can be used not only with the Wasabi Wallet but with any software or files where GPG/PGP digital signatures are used. This document deals primarily with verifying files on Linux but the same principle applies when using Windows or Mac OS as well.
When it comes to verifying code on the internet you need to be almost 100% certain that the code you are installing is genuine, especially when it comes to Bitcoin and money!! Before proceeding you must first have GPG installed on your machine. This program is usually installed by default on most Linux distros but if it isn't simply install it via the command line (NOTE: Your install method may be different depending on your distro):
[root@17laptop asus]# dnf install gnupg
Last metadata expiration check: 0:29:58 ago on Fri 09 Nov 2018 08:53:01 AM EST.
Package gnupg-1.4.23-1.fc27.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
[root@17laptop asus]#
Once GPG is installed, you can then import the GPG/PGP public key from the developer.
The Basics and Importance of a Public Key
Most people already grasp the concept of asymmetric cryptography, however, for those that don't, the basic idea is you provide the world or someone else with your 'Public' key. This allows a user to encrypt a message or file using YOUR 'Public' key that only you can decode. Once you receive this encrypted file you can then decrypt it using your 'Private' key (which is never shared with anyone). With this in mind, it is also possible for YOU to use your 'Private' key to create a 'Detached Signature' on a file which can then be authenticated by someone who has your 'Public' key.
Example:
I have a file that I wish to send to someone and would like them to have the capability to autenticate that it is indeed the original file I sent and it has not been compromised. Provided the user has my 'Public' key, this can easily be done with GPG/PGP. In this example, my file is 'mywickedcode.txt' .
[asus@17laptop TEST-digital-sigs]$ ls
mywickedcode.txt
[asus@17laptop TEST-digital-sigs]$ gpg -u [email protected] --detach-sign --armor mywickedcode.txt
You need a passphrase to unlock the secret key for
user: "Administrator (Bitcoin Rulz) [email protected]"
2048-bit RSA key, ID 5532A8B2, created 2018-11-09
[asus@17laptop TEST-digital-sigs]$ ls
mywickedcode.txt mywickedcode.txt.asc
[asus@17laptop TEST-digital-sigs]$
Notice in the gpg command above I declared which private key to use (-u [email protected]) followed by '--detach-sign --armor mywickedcode.txt' . The '--detach-sign' tells GPG to create a Detached Signature where as '--armor' will then produce an ASCII armored output. When looking at the contents of the directory you will notice I've produced the Detached Signature file 'mywickedcode.txt.asc'.
[asus@17laptop TEST-digital-sigs]$ cat mywickedcode.txt.asc
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJb5adTAAoJELr4gylVMqiyEscH/1kweN4wOWdGibDAkODGcpMu
y9x6QjAe7TFxfx6PzNLmhabpVqp8s8oIsZ9G+HWcRB7CYaRZVoqPPSCw+t2eh7So
upkUu7efkiHfVCpjwvETwLDvKzMd4oO3OErFx6VWcw2IKhMIu6fhi652PlxAvXh7
74y/5ooQ4BaZOMvvMHjfwm+UMz/JGHiVwDvavH07ly3OXh7Y/O2UxJboLkBGdGX4
2cRVm0P2F0ueo6fqCLVl5xf4dZ6ucoBOLK6pQRERpKBwC0qzmkHxgbNzil83G3zH
yMxNQpmADMpC9j0ULi6zr/nTFiwZdyWdClb8at6jNHilpZ4BeNPSofUEnFe6ZFY=
=foYZ
-----END PGP SIGNATURE-----
[asus@17laptop TEST-digital-sigs]$
Now that you have a basic understanding of this concept of Detached Signatures, you can now authenticate files or code.
Importing the Public Key
As shown above, most code today can be verified using public/private key cryptography. This means that an individual or corporation can create a 'Detached Signature' which is nothing more than a file that contains the signature for another specified file (i.e. WasabiLinux.tar.gz). To install the Wasabi Wallet go to:
From the website you should first import the public key of the developer. There should be a link on this page that will redirect you to the developer's GitHub so you can import the Public key. It should look something like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFVmnHQBCADH/ysozaiq7zLs2hXaCy7zyVHqMlm4z94yIxZAdklSk6dHDhcB
IZSMnAQhISStBxioe8u+CXnviSBfRVHsiSiGYQ9OrDA/8Hod3pi/BWANLuUmkkTF
H/wV1aMJ6kU8tNnk7JQo36iP9T7exM6IMkHWl1Qt+wPTNO6IeG0WTWcSyhsEf5z3
cYE44Vi2qtdhwRVB9CqnRDZO35ptPogeM8B9f6+xK0xrHsmccpdrD7syG4/Ejp60
ftinxaAxK943/7U/tIz43Om5nrxC3Z2ENBQAmaEvIoalsEnCukQUAbcgPyrg5FGi
gypa0urTR6II8BRQ/apKmdqojyKYXodwbx5bABEBAAG0KEZpY3PDs3Igw4Fkw6Ft
IDxhZGFtLmZpY3NvcjczQGdtYWlsLmNvbT6JATkEEwEIACMFAlVmnHQCGw8HCwkI
BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRC0tyJmxH4HXjW4CACOssYpIzfY8/cr
u3EbqjVTy+IetTHcyZ+g9U5ouWlBroJpFnkIrd7gSVRr5kJlaJm7mvVJUy5uStts
nYB3mGlqi2xPhHLwkGeI6yIRW7FyPQU08Orgj9PvNmwHbQY12hYNUba/e5pkRq3V
CKb1IUqkCXFizQOlYRxWNXhsXcOK874tYWfaYxvmfKAuSUP5S4orkF2Dz+Zs/SCa
Xv7IWSVh8warqJYOTcv/VOHwFWfyjnJQEZxs/VQQ/NIyhiUd8FzTQMQSnQOp2MKx
MjxUrvhkKt82o/MDtsF8OIFVcxv5aLYCZc8df+8tetYemFb4CoJlGc7qSwWKx6xy
I5fSLxDM
=936Y
-----END PGP PUBLIC KEY BLOCK-----
Simply copy this text and paste it into a file and name it 'wasabiwallet.gpg' .
[asus@17laptop walletcode]$ cat wasabiwallet.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFVmnHQBCADH/ysozaiq7zLs2hXaCy7zyVHqMlm4z94yIxZAdklSk6dHDhcB
IZSMnAQhISStBxioe8u+CXnviSBfRVHsiSiGYQ9OrDA/8Hod3pi/BWANLuUmkkTF
H/wV1aMJ6kU8tNnk7JQo36iP9T7exM6IMkHWl1Qt+wPTNO6IeG0WTWcSyhsEf5z3
cYE44Vi2qtdhwRVB9CqnRDZO35ptPogeM8B9f6+xK0xrHsmccpdrD7syG4/Ejp60
ftinxaAxK943/7U/tIz43Om5nrxC3Z2ENBQAmaEvIoalsEnCukQUAbcgPyrg5FGi
gypa0urTR6II8BRQ/apKmdqojyKYXodwbx5bABEBAAG0KEZpY3PDs3Igw4Fkw6Ft
IDxhZGFtLmZpY3NvcjczQGdtYWlsLmNvbT6JATkEEwEIACMFAlVmnHQCGw8HCwkI
BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRC0tyJmxH4HXjW4CACOssYpIzfY8/cr
u3EbqjVTy+IetTHcyZ+g9U5ouWlBroJpFnkIrd7gSVRr5kJlaJm7mvVJUy5uStts
nYB3mGlqi2xPhHLwkGeI6yIRW7FyPQU08Orgj9PvNmwHbQY12hYNUba/e5pkRq3V
CKb1IUqkCXFizQOlYRxWNXhsXcOK874tYWfaYxvmfKAuSUP5S4orkF2Dz+Zs/SCa
Xv7IWSVh8warqJYOTcv/VOHwFWfyjnJQEZxs/VQQ/NIyhiUd8FzTQMQSnQOp2MKx
MjxUrvhkKt82o/MDtsF8OIFVcxv5aLYCZc8df+8tetYemFb4CoJlGc7qSwWKx6xy
I5fSLxDM
=936Y
-----END PGP PUBLIC KEY BLOCK-----
[asus@17laptop walletcode]$
Now that we have the Public key we need to import it into our keyring:
[asus@17laptop walletcode]$ gpg --import wasabiwallet.gpg
gpg: key C47E075E: public key "Ficsór Ádám [email protected]" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[asus@17laptop walletcode]$
To view the keys that have been imported into your keyring, issue this command
[asus@17laptop walletcode]$ gpg --list-keys
/home/asus/.gnupg/pubring.gpg
pub 2048R/5532A8B2 2018-11-09
uid Administrator (Bitcoin Rulz) [email protected]
sub 2048R/99DA767E 2018-11-09
pub 2048R/C47E075E 2015-05-28
uid Ficsór Ádám [email protected]
[asus@17laptop walletcode]$
Here you should notice the public key of the developer as well as your Public/Private keypair. Now you can download the software and the 'Signature' file.
Verifying the Wasabi Wallet Software Using a Signature File
From the Wasabi Website download the 'WasabiLinux.tar.gz' file as well as the 'Signature' file and store them in the same directory. This Signature file is nothing more than the 'Detached Signature' file that we discussed previously. This signature file would have been created by the developer using his 'Private' key, and now with the Public key imported into our keyring we can verify if the file is genuine:
[asus@17laptop walletcode]$ ls
WasabiLinux.tar.gz WasabiLinux.tar.gz.asc wasabiwallet.gpg
[asus@17laptop walletcode]$ gpg --verify WasabiLinux.tar.gz.asc
gpg: assuming signed data in `WasabiLinux.tar.gz'
gpg: Signature made Wed 31 Oct 2018 03:54:49 AM EDT using RSA key ID C47E075E
gpg: Good signature from "Ficsór Ádám [email protected]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 21D7 CA45 565D BCCE BE45 115D B4B7 2266 C47E 075E
[asus@17laptop walletcode]$
The output shows 'Good signature from "Ficsór Ádám [email protected]" ' and therefore we have verified that the file is authenticate. You can ignore the 'WARNING:' as this is just informing the user that the Public key hasn't been registered with a third party.
As for installing and using the Wasabi wallet, that is probably best left for another article, however, for those that just want to go ahead and install, the commands are as follows:
[asus@17laptop walletcode]$ tar -xpvf WasabiLinux.tar.gz
[asus@17laptop walletcode]$ ./WasabiLinux/wassabee
Enjoy!!
Excellent article. Thank you!