-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] GPG verification fails #324
Comments
Please download Selfcustody's openssl public key: We use openssl for signatures because this way we can sign releases and binary files in a airgapped workflow, using a Krux device to sign, with a BIP39 mnemonic key. For next releases I will add the filename to the txt hash file. |
I hope you have(edit) an Amigo with you. Here are some other info that might be relevant: |
Although of course you are free to sign releases in any way you want (and I understand the requirement for on-device verification), I would encourage you to sign in the same way that all other Bitcoin-related software projects do, using GPG. Getting users to verify downloads is already difficult - using a non-standard verification process is going to make things that much harder. This could be done in addition to the openssl method. I think your second reply here was intended for another issue. |
I'll discuss with other contributors the idea of creating (and managing) a PGP key and using it to sign release packages and other apps we may eventually release. The second reply was for you, I thought you could be in the process of flashing a Krux device. Please ignore it if it's not the case. |
I've tried verifying the download by downloading the following files:
On MacOS, running
gpg --verify krux-v23.09.1.zip.sig krux-v23.09.1.zip.sha256.txt
gives me:The manifest also seems to be non-standard, missing the filename of the file being hashed.
The text was updated successfully, but these errors were encountered: