New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use official HyperDEX PGP key when signing checksums #440

Merged
merged 1 commit into from Jul 23, 2018

Conversation

Projects
None yet
3 participants
@lukechilds
Member

lukechilds commented Jul 23, 2018

@kevva @sindresorhus You will need the HyperDEX PGP key I sent you securely imported into your GPG keychain.

You can then run ./signedchecksum and it'll pull down the latest release assets, create a shasum, and sign it with the official HyperDEX PGP key.

You will be prompted for the HyperDEX PGP key password I also sent you securely.

It will dump a file for you to upload that looks like this:

SHASUMS256.txt.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

18fdeac429fae43c9af4c25f8f4baa493da5351681b24cd7f6804e80980905e5  HyperDEX-0.1.0-alpha.10.dmg
df7ca6abdda3fb3bb3338658cac028b455b561730a251d0416fb1e6c989b1b5f  HyperDEX.Setup.0.1.0-alpha.10.exe
4759a90f6c864af94101c35722677c24ca512c767810f702ce93c41f64b1aad6  SHASUMS256.txt.asc
7bfb522b8258fc2342a68dcf7ddaf68a4b0b571821ae2e9045130bd5923d9c17  hyperdex-0.1.0-alpha.10-x86_64.AppImage
a32ddf90140a932a51413515f237bf9e9b513b9ac835214b45a96bbba8ce7cb6  hyperdex-0.1.0-alpha.10.x86_64.rpm
14915c75fa03d6f72530f8ad2f74375dbaf7d735a55174778b70a3e26c6df4a6  hyperdex_0.1.0-alpha.10_amd64.deb
-----BEGIN PGP SIGNATURE-----

iQFMBAEBCAA2FiEEZshTVOwO5HdxZqvChHsHDQ0f3cEFAltVrtYYHGh5cGVyZGV4
QHByb3Rvbm1haWwuY29tAAoJEIR7Bw0NH93Bi68H/ikvwFpu6dlwq4iFddfBAOYc
8jWLoxaIFAzs1g73YdeA1Si6rJZyiidBeCLeSquAWElok/Rg2U7oEfVC3XIeixGM
e0+EGn4u1eFuHGCbQIJtBu1n9ds+GtHej6Pf98qSXcpFL0IgyjaDB4JdkU88iqGU
o2pJlZkNJ/ml3AbeN1gUEM47IF/NNYuNcRx0dTOcWhN1Bvny4abzWDoV14WT8cBq
SC1mydZSzCjms5M9F6UdJwbBCOe8Wt9HGoV15NG6/sGcN+Zczp5gQndmSsJq8tMO
kCwnCLNC8EpMvyXwPfNxZil1XDcbz1wrH/hGlIWTm4/H5EXq3weS/SnWvcuorio=
=g0Ri
-----END PGP SIGNATURE-----

And can be verified like this:

$ gpg --verify SHASUMS256.txt.asc
gpg: Signature made Mon 23 Jul 11:32:54 2018 BST
gpg:                using RSA key 66C85354EC0EE4777166ABC2847B070D0D1FDDC1
gpg:                issuer "hyperdex@protonmail.com"
gpg: Good signature from "HyperDEX <hyperdex@protonmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5530 AEF6 E7F1 8A54 1054  0B9D 31DB EB37 BF19 9A3C
     Subkey fingerprint: 66C8 5354 EC0E E477 7166  ABC2 847B 070D 0D1F DDC1

Or at https://keybase.io/verify.

Can you try this and let me know if you have any problems.

@lukechilds lukechilds requested review from sindresorhus and kevva Jul 23, 2018

@kevva

This comment has been minimized.

Member

kevva commented Jul 23, 2018

Works fine!

❯ gpg --verify SHASUMS256.txt.asc
gpg: Signature made Mon Jul 23 13:20:57 2018 CEST
gpg:                using RSA key 66C85354EC0EE4777166ABC2847B070D0D1FDDC1
gpg:                issuer "hyperdex@protonmail.com"
gpg: Good signature from "HyperDEX <hyperdex@protonmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5530 AEF6 E7F1 8A54 1054  0B9D 31DB EB37 BF19 9A3C
     Subkey fingerprint: 66C8 5354 EC0E E477 7166  ABC2 847B 070D 0D1F DDC1
@kevva

kevva approved these changes Jul 23, 2018

@sindresorhus

This comment has been minimized.

Member

sindresorhus commented Jul 23, 2018

Seems to work:

❯ gpg --verify SHASUMS256.txt.asc
gpg: Signature made Mon Jul 23 20:53:43 2018 +07
gpg:                using RSA key 66C85354EC0EE4777166ABC2847B070D0D1FDDC1
gpg:                issuer "hyperdex@protonmail.com"
gpg: Good signature from "HyperDEX <hyperdex@protonmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5530 AEF6 E7F1 8A54 1054  0B9D 31DB EB37 BF19 9A3C
     Subkey fingerprint: 66C8 5354 EC0E E477 7166  ABC2 847B 070D 0D1F DDC1
@lukechilds

This comment has been minimized.

Member

lukechilds commented Jul 23, 2018

If you were wondering, the:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

is expected and perfectly normal. It's just saying this validates with that signature, but it can't guarantee the signature truly belongs to HyperDEX. You can remove the warning by manually approving the HyperDEX key:
https://www.gnupg.org/gph/en/manual/x334.html

@lukechilds lukechilds merged commit 6f57087 into master Jul 23, 2018

@sindresorhus sindresorhus deleted the official-signing-key branch Jul 23, 2018

SC1mydZSzCjms5M9F6UdJwbBCOe8Wt9HGoV15NG6/sGcN+Zczp5gQndmSsJq8tMO
kCwnCLNC8EpMvyXwPfNxZil1XDcbz1wrH/hGlIWTm4/H5EXq3weS/SnWvcuorio=
=g0Ri
-----END PGP SIGNATURE-----

This comment has been minimized.

@sindresorhus

sindresorhus Jul 23, 2018

Member

@lukechilds Did you mean to commit this? I had assumed you would remove it before merging.

This comment has been minimized.

@lukechilds

lukechilds Aug 6, 2018

Member

Woops, no I didn't 🤦‍♂️

kevva added a commit that referenced this pull request Jul 25, 2018

Merge branch 'master' of github.com:hyperdexapp/hyperdex into show-de…
…cimal

* 'master' of github.com:hyperdexapp/hyperdex:
  Add menu item to report a security issue (#439)
  Use official HyperDEX PGP key when signing checksums (#440)
  Fix Help menu capitalization
  Fix the conditional menu logic for Windows and Linux
  Add success/fail color to the progress bar in the swap modal (#436)
  Pass `ref` to password input in `SeedPhraseModal` (#433)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment