Who signs Dash releases and where is the PGP public key file?

Sven

Sven

Member
I see a new wallet release on https://www.dash.org/wallets/ That page also offers a hash file SHA256SUMS.asc to verify the integrity of the releases. The hash file is signed in PGP. So far so good.

I'm using GPG Tools on a Mac and it complains:
"Verification FAILED: Signature can not be verified, because the corresponding public key is missing."

I spent the last 15 minutes looking for a signing policy and/or the proper key files and couldn't find any. So my questions:
  • Who is authorized to sign Dash releases?
  • What is the fingerprint of that person's public key? (The email address is not good enough, as it's trivial for anyone to generate a PGP key pair for any email address.)
  • Is there a policy document or a page where this info is easily accessible and any changes would be noticed?
 
@UdjinM6 currently signs the SHA256SUMS.asc file to verify the integrity of the builds. His PGP public key fingerprints are available at https://keybase.io/udjinm6

You can verify the authenticity of the file using the following commands (for Linux, macOS should be similar if not identical):

Code: 
curl https://keybase.io/udjinm6/pgp_keys.asc | gpg --import
wget https://github.com/dashpay/dash/releases/download/v0.12.3.1/SHA256SUMS.asc
gpg --verify SHA256SUMS.asc

This procedure is documented at https://docs.dash.org/en/latest/masternodes/setup.html#option-2-manual-installation and possibly also in the release documentation on GitHub.
 
Thanks!
This information should be posted on the download pages or at least be linked to from there.
 
I have a related question:

Is it possible to compile from the source code to produce exactly the same file? This way multiple people could verify that the release isn't modified.
 
You must log in or register to reply here.
Back
Top