Installation instructions include the possibility to verify the authenticity of the download, but requires the download of the ‘signed_sha256_hashes.txt’ file, which I can’t find on the Github page, the PGP file is there though.
Anyone know where to find the signed_sha256_hashes.txt…??
The PGP file is the sha256 hash file signed with a public key. It is a file you need. Just download that file and Manfred’s public key (also available for download on Github as F379A1C6.asc) and check the signature. You can import the key using command line program gpg. Type “gpg --import F379A1C6.asc” to import Manfred’s public key and type “gpg --verify <name_of_signature file>” to verify your download.
To be more sure the key is correct, the fingerprint is 1DC3 C8C4 316A 698A C494 039C F5B8 4436 F379 A1C6. You can check that with “gpg --fingerprint F379A1C6”.
Thanks for your reply,
gpg --fingerprint F379A1C6 gives the finger print as you have there. I have done gpg --import F379A1C6.asc
but i can’t get verify to work (i’m not entirely sure of the usage) but:
gpg --verify Bitsquare-64bit-0.4.9.9.3.deb
& also: gpg --verify F379A1C6.asc Bitsquare-64bit-0.4.9.9.3.deb
gpg: verify signatures failed: unexpected data
any help much appreciated…!
You need to specify the signature file “gpg --verify Bitsquare-64bit-0.4.9.9.3.deb.asc”. There is a second argument for the file that is being verified, but it will assume that it is “Bitsquare-64bit-0.4.9.9.3.deb”.