Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document package verification process #184

Open
VojtechMyslivec opened this issue Apr 20, 2020 · 1 comment
Open

Document package verification process #184

VojtechMyslivec opened this issue Apr 20, 2020 · 1 comment

Comments

@VojtechMyslivec
Copy link

Although (debian) packages are signed with GPG, there is no documentation how to verify such signatures or packages respectively. Proper GPG keyid is also not documented or published.

This process should be documented, probably on wiki, so any Trezor user can verify downloaded package before installation.
@VojtechMyslivec
Copy link
Author

Documentation for a Debian package verification should look like:

Package verification

DEB package

  1. Install required tools

    $ apt install gnupg dpkg-sig

  2. Import signing key

    $ gpg --recv-keys 86E6792FC27BFD478860C11091F3B339B9A02A3D

    TODO:

    • Double-check used keyID
    • Probably include proper --keyserver ... as well

  3. Verify the package

    $ dpkg-sig --verify trezor-bridge_latest_amd64.deb

  4. Install the package

    # dpkg --install trezor-bridge_latest_amd64.deb

RPM package

macOS package

...

Windows package

...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VojtechMyslivec