The official Bitum releases have signed hashes that you should check to confirm that they are the same binaries that the developers posted. This page provides instructions for that.
In order to verify binaries or other signed files from the Bitum Project, there are a couple pieces of software required:
- SHA-256 – Once you download your file(s), you need to check their SHA-256 hashes, so you may need to download a tool to do this, depending on your OS.
- GnuPG or PGP – This is required to import public keys and verify signatures. Examples below use GnuPG.
The following instructions should work as is on Linux/UNIX/macOS. Windows users will have to install sha256 and gnupg themselves and use the windows cmd terminal to do this. The steps to verify the binaries are as follows:
Download the file manifest, the signature for the file manifest, and the zip/tarball for your OS from here. Obtain the SHA-256 value for the zip/tarball for your OS and check that it matches the value in the file manifest, e.g. for 64-bit Linux:
no-highlight $ sha256sum linux-amd64-20160127-02.tar.gz 8ffaa268a329890ebf0f96b3cd1bc9f69359e431edbb95d89cec5a605108574b linux-amd64-20160127-02.tar.gz
Compare the value you got in Step One to the value for the file in the manifest file.
Import the Bitum Release Signing Key in GnuPG. You will only need to do this a single time and can skip this when verifying later releases on the same computer.
no-highlight $ gpg --keyserver pgp.mit.edu --recv-keys 0x518A031D gpg: requesting key 518A031D from hkp server pgp.mit.edu gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key 7608AF04: public key "Bitum Release <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Verify the signature for the file manifest is valid and created by the Bitum Release Signing Key:
no-highlight $ gpg --verify manifest-20160127-02.txt.asc gpg: assuming signed data in `manifest-20160127-02.txt' gpg: Signature made Wed 27 Jan 2016 08:56:59 PM UTC using RSA key ID 518A031D gpg: Good signature from "Bitum Release <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FD13 B683 5E24 8FAF 4BD1 838D 6DF6 34AA 7608 AF04 Subkey fingerprint: F516 ADB7 A069 852C 7C28 A02D 6D89 7EDF 518A 031D
The zip or tarball with binaries for your platform is now verified and you can be confident they were generated by the Bitum Project.