Verifying signatures is a crucial security practice for all Bitcoin-related software: complete guide.
Signature verification is a fundamental procedure to ensure that software has not been altered or compromised.
To verify a software signature, it is necessary to obtain the public key of the software creator.
Usually, the public key is obtained from the software producer’s website or the developer’s social media profiles.
To understand how to verify a software signature, in this guide we will verify the signature of the Sparrow desktop wallet.
The first two methods described are suitable only for Linux and macOS devices as they use the terminal. For users using Windows, refer to the third method.
Method n.1 for Linux and macOS
Download the installation file for your operating system and the two signature files of the software from the official Sparrow website. The signature file always ends with the .asc extension.
Download the public key of the software developer using the command wget public_key_link. By doing an Internet search, we find the official Keybase account of Craig Raw, the developer of Sparrow, with his public key and related fingerprint: https://keybase.io/craigraw/pgp_keys.asc.
To download the public key, type the command: wget https://keybase.io/craigraw/pgp_keys.asc
Use the ls command to check that the file has been downloaded to the folder.
Import the public key with the command: gpg –import public_key_filename. In this case, type: gpg –import pgp_keys.asc
Check that the public key was successfully imported with the command: gpg –list-keys
Make sure that the downloaded wallet file and the signature file are in the same folder (e.g., the Downloads folder).
Verify the signature with the command: gpg –verify signature_file.
In this case, type:gpg –verify sparrow-1.9.1-manifest.txt.asc
Verify that the fingerprint matches the one displayed on the wallet’s website. Also, check if the signature details, such as the date and time, correspond to those on the wallet’s site.
Method n.2 for Linux and macOS
Unlike the previous method, this procedure retrieves the public key from a public key server, such as keys.openpgp.org, instead of from the software manufacturer’s website or the developer’s social media profiles.
- On the keys.openpgp.org site, paste the fingerprint of the public key found on the developer’s Keybase profile.
- Click Search, and the server will tell you if the public key is available on the key server.
Now open the terminal and type:
gpg –recv-keys FINGERPRINT: this command will import the public key to your PC; in this case, type:
gpg –recv-keys D4D0D3202FC06849A257B38DE94618334C674B40
With the command gpg –list-keys, you can see which public keys you have imported to your PC:
Download the two software signature files from the official wallet website.
To verify if the signature is correct, always use the command gpg –verify file_of_signature. In this case, type: gpg –verify sparrow-1.9.1-manifest.txt.asc.
Verify that the fingerprint matches the one listed on the wallet’s website. Also, check if the signature details, such as date and time, correspond to those on the wallet’s site.
Method for Windows
To verify software signatures on Windows, you need to download the Gpg4win program from the official website.
Once you have installed the software, you need to download the Windows version of Sparrow and the two signature files. Place these three files in the same folder.
Download the developer’s public key from the link: https://keybase.io/craigraw/pgp_keys.asc.
To download it to your PC, copy all the text of the public key, paste it into a text editor (for example: Notepad), and save it as pgp_keys.asc in the same folder as the three previously downloaded files.
Make sure that the checkbox for File name extensions is enabled so that you can easily distinguish between the various files in the file manager.
The first operation to perform is to import the public key. Right-click on the public key file, go to More GpgEX options, and click on Import keys.
To certify the public key, you first need to create an OpenPGP certificate for yourself. Right-click on the public key you just imported and click on Certify. A prompt will appear asking you to create a self-generated OpenPGP certificate. Click on Create to proceed. Enter the desired name in the Name field (for example: test), and click OK.
Click OK again to complete the certificate generation.
Right-click on the public key you just imported and click on Certify to confirm that the developer’s public key truly belongs to him.
To verify the signature, right-click on the signature file, go to More GpgEX options, and click on Verify.
Once the verification process is complete, a green screen will appear displaying the signature details and the developer’s information.
Check that the fingerprint matches the one on the wallet’s website. Also, verify that the signature details, such as the date and time, correspond with those listed on the wallet’s site.
