Verifying Dash Code QT installer's integrity with GnuPG

cibrigue

cibrigue

New member
Hi!


I'm new to Dash, and I have just downloaded the Dash Core Win/64 installer v12.1.3.

I already had GnuPG so I run this in my download folder where my installer and hash files were:
gpg2.exe --verify SHA256SUMS.asc

And got this:
gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
gpg: Can't check signature: No public key


So my understanding is that the SHA-256 hash matches, but the installer is not signed. Is this normal for the Dash Core client, can I trust it? Can/should I run any other tests before installing?
 
Andras said:
Hi!


I'm new to Dash, and I have just downloaded the Dash Core Win/64 installer v12.1.3.

I already had GnuPG so I run this in my download folder where my installer and hash files were:
gpg2.exe --verify SHA256SUMS.asc

And got this:
gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
gpg: Can't check signature: No public key


So my understanding is that the SHA-256 hash matches, but the installer is not signed. Is this normal for the Dash Core client, can I trust it? Can/should I run any other tests before installing?
Click to expand...

The file is signed, you are just missing my public key in your keyring.

Do

Code: 
gpg2.exe --recv-keys BD8DF332

and retry.
 
Thank you, it worked!

For future reference, I needed to also set the keyserver in my case. So to import your key:
Code: 
gpg2.exe --keyserver pgp.mit.edu --recv-keys BD8DF332

And then to verify the signature of dashcore-0.12.1.3-win64-setup.exe:
Code: 
gpg2.exe --verify SHA256SUMS.asc

I got the following response:
Code: 
gpg: Signature made 03/02/17 09:57:45 Central Europe Standard Time using RSA key ID BD8DF332
gpg: Good signature from "Holger Schinzel <[email protected]>" [unknown]
gpg:                 aka "Holger Schinzel <[email protected]>" [unknown]
gpg:                 aka "Holger Schinzel <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AF1A E13F 33D0 6F48 7F23  DC81 4B88 269A BD8D F332
 
Thank you - I needed a refresher on this. btw The page I just got the PGP signature from doesn't seem to indicate how to get the appropriate public key - which seems kinda backward...
 
You must log in or register to reply here.
Back
Top