Translations: German 🇩🇪
Bitcoiners don’t trust, they verify, and they do their best to remain private. So, understanding some basics of GPG is crucial. GPG is a gift, just like Bitcoin – it’s worth your time to learn a little. If you pay attention, read carefully, and learn in small steps, then it’s not that difficult. Having very basic command line skills is a prerequisite. This can be learned here for Linux and Mac (they both use Unix), and here for Windows.
As you learn, you should actually perform the commands. Doing, not just reading, helps you absorb the information.
Terminology
- SHA 256 stands for Secure Hash Algorithm. It is a cryptographic hash function (Wikipedia), and it is worth at least reading the introductory text to this Wikipedia article if you have no idea what that means (It’s possible to do a hash by hand, but don’t – see guide for some craziness).
- GNU is an extensive collection of free software, including an operating system (eg Linux) and individual programs. GNU stands for “GNU not Unix”, a recursive acronym. Unix is commercial software; GNU is open source.
- Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.
- GNU Privacy Guard (GnuPG or GPG) is a free-software replacement for Symantec’s PGP cryptographic software suite.
SHA 256
SHA 256 is used in Bitcoin mining proof-of-work, but that is a different use for what I’m discussing here.
When we download software, one way to check that the program we downloaded has not been tampered with is to hash the file (commonly with SHA 256), and compare the digital fingerprint output with the published output from the website we are downloading from. If the output is identical, we can be sure that the file we downloaded is identical to the website provider’s version of the software (down to the last bit of data).
While this reduces the chance of you downloading malicious software, it doesn’t help if you are downloading from an attacker’s website. That’s because an attacker will provide you with fake software, and a hash of the fake software. So all you’ll be doing is proving you are getting genuine malicious software! To protect from this attack, you should confirm that you are definitely at the right web address, AND use GPG – I’ll explain later.
First, it’s good to know how to check the hash output using SHA 256.
Linux
For Linux, you don’t need to install anything. Just open terminal and run commands from there.
shasum -a 256 xxxxxxxxxxxxxxxReplace xxxxxxxxxxxxxxx with the path to the file you want to hash. If you are in the directory of the file, just type the file name. Otherwise, type the full path. If this makes no sense, go back to the first paragraph, find the links, and learn about command line. Don’t skip that step.
There will be an output in the terminal. Check that output with the published result. It should be identical.
Mac
For Mac, the command is the same as Linux.
There will be an output in the terminal. Check that output with the published result. It should be identical.
Windows
In the command prompt, type:
C:\> certutil -hashfile xxxxxxxxxx sha256
Do replace xxxxxxxxxx with the path to the file you want to hash, eg
C:\> certutil -hashfile C:\file.img sha256
There will be an output in the terminal. Check that output with the published result. It should be identical.
How GPG is used to sign genuine software.
Using gpg, anyone can produce a private and public gpg key. Think of an author’s gpg public key like a Bitcoin address, and the GPG private key like a Bitcoin private key. You can create a Bitcoin private/public key easily, and you can do the same for a GPG private/public key.
The author of a piece of software publishes his public key (like a bitcoin address) to key servers (more than 1), and the key is labelled with his/her email address. It is difficult for an attacker to claim their version of an author’s public key is genuine, because the real copy is widespread and easy to access and verify. There are identical copies in many places.
An author can sign a piece of software with his/her private key and produce a signature, and only the author can do this. Just like the act of spending from a bitcoin address, only the private key holder can sign. What is produced is a text file, similar to a bitcoin transaction that gets published to the blockchain.
Read the next paragraph carefully, more than once if needed:
Anyone can use the author’s public key (widely available) to verify that the signature text file was indeed produced by the corresponding private key – again very similar to how Bitcoin works. What they actually do is take the software that was downloaded, and take the public key of the author, and mashing them together with the gpg software, can check that the signature text file is valid (that the private key signed the software file and produced the exact signature file). Another way to say it is that the verification proves the text file was produced by the author’s private key, AND, the software hasn’t been altered since the author made the signature.
By doing this, not only is the software downloaded untampered, but the author is verified as well – we do this by either checking his/her key is the same in multiple places, or, one can ask the author directly, eg over the phone or email communication, what his/her key is.
So next I’ll show how to download gpg, then verify using gpg. How to produce signatures is outside the scope of this article, and can be easily found with a google search. We’ll stick to the basics of verifying genuine software.
Download GPG
LINUX
GPG is usually already installed. If not, use this command in terminal (on Ubuntu or Debian):
apt-get install gnupg
Sometimes, “sudo” needs to be added first, which stands for “super user do”, which gives administrator privileges.
For Red Hat, use this:
yum install gnupg
Again, you may need to add “sudo” at the start.
Mac
For mac, you can either do it the simple way or the very-slightly harder way. The easy way is to download and install “GPG Suite” – it’s free unless you also want the email tools (no need). This will give you the command line tools you need.
Alternatively, the ever so slightly harder way, is to use the terminal. First, make sure a Mac package manager is installed (Homebrew) – Install using this command (copy and paste into terminal):
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Then, this command to install gpg:
brew install gnupg
You will then have the command line tools you need, installed.
Windows
First, download and install Gpg4win. It’s free. There is a donation page before downloading, you can select $0 to proceed.
When installing, you can uncheck all the boxes except the first:
Once installed, you’ll have access to the necessary tools via the command line. You don’t need the graphical user interface.
Verification with GPG
On Linux, Mac, or Windows, the commands and procedure is the same. You import someone’s (author’s) public key (into your computer’s gpg keyring) in the terminal like this:
gpg --import xxxxxxxxxx
xxxxxxxxxx is the exact path and filename (usually ending in .asc but sometimes windows add a “.txt”. eg authorKey.asc.txt – that doesn’t matter, as long as you type the file name accurately. In fact, it’s always best to begin typing the filename, and then hit <TAB> to autocomplete. This ensures no spelling errors, and saves time too.)
You can list the keys you already have in your keyring like this:
gpg --list-keys
The next thing to do is download the file of the program you want, and note it’s location on your computer.
Then download the author’s signature file (signature file of the software, produced by using their private key on the downloaded file) – do not confuse “signature” with “key”, and note it’s location. It’s usually best to put the signature in the same folder as the program you just downloaded.
Then open terminal and navigate to the directory where the program file and the signature is located (otherwise you’ll have to type the full path of each file in the following command, and that’s tedious).
Then type this command:
gpg --verify xxxxxxxxxx zzzzzzzzzz
xxxxxxxxxx is the filename of the signature
zzzzzzzzzz is the filename of the program you are checking.
You will see that some online instructions do not include this zzzzzzzzzz component. That’s because usually the filename of the signature and the program is the same, only differring by a “.asc” at the end of the signature. If that is the case, you don’t need the zzzzzzzzzz component. But if the file names are different (eg electrum-personal-server downloads are like this), then you need to either rename the files you downloaded so they match, or you just type the command out in full like I’ve shown. I have no idea why this is not more clearly explained in gpg instructions of various download pages.
For the command above, you don’t have to enter the name of the public key. That’ already in your gpg keychain – the the gpg program takes care of that in the background.
If the signature is genuine, then you’ll get an output which includes the text “Good signature from … ” – then, you can be satisfied. There is usually a warning after this, but that can be ignored and is directed to the more advanced user playing with more gpg options.
Video Example
This is a video showing me download, gpg verify, and install/run Electrum Desktop Wallet on a Mac:
This is a video showing me download and install GPG4Win, and download and verify Electrum Desktop Wallet on Windows.
Conclusion
I hope by following this guide you have learned a thing or two about GPG signatures. If you just read it only, I encourage you to go through it again, and actually practice typing out and using some of the commands to help your understanding and learning.
Getting good at this comes with repetition. If you always check signatures when you download files, and refer to this page when needed, you’ll get good at this and it will become second nature.
If you want a more advanced understanding of gpg, you can learn more here. This was one of the first articles I read on the subject, and it was quite well written.
Tips:
Static Lightning Address: dandysack84@walletofsatoshi.com
On-chain or Lightning