search

input-output-hk / daedalus

The open source cryptocurrency wallet for ada, built to grow with the community
https://daedaluswallet.io/
Apache License 2.0
1.23k stars 296 forks source link

MacOS Big Sur - Daedalus Wallet PKG file - GPG Trusted Signature #2436

Open cdoubleu opened 3 years ago

cdoubleu commented 3 years ago

Not sure if this is the right forum for this issue, but here goes... I've been following the instructions on https://daedaluswallet.io/en/download/ to download and install the Daedalus Wallet.

After clicking the "Verify Signature Instructions" link, I've been able to follow all of the steps up to step 7.

In step 7 it states... The Verification Results dialog will then appear with the verdict in the Result column:

In the results dialog that I see...

  1. There is no results column in the dialog
  2. The message I receive is "Trusted signature - IOHK Signing Authority signing.authority@iohk.io" and a key.

Does this mean that the signature for the downloaded pkg file has been verified?

nikolaglumac commented 3 years ago

@ManusMcCole @miorsufianiohk @gabriela-ponce can you please assist us here and explain what is the expected result?

miorsufianiohk commented 3 years ago

Hi @cdoubleu.

I hope that you are well and thank you for contacting us. Could I check that what you saw was similar to the following:

Screenshot 2021-03-04 at 09 31 42

If it is, then the signature is ours, has been verified and can be trusted.

The reason why the expected behaviour on Step 7 is different than what you saw was due to the fact that we are using a 3rd party software "GPG Suite" to verify signatures. Any updates/changes on the 3rd party software is beyond our control. Unfortunately, the expected behaviour on Step 7 is expecting users to use the old version of "GPG Suite".

Therefore, I'd suggest that we update the instruction to reflect "GPG Suite" new behaviour cc: @nikolaglumac

In the meantime, let us know please if we have solved your issue @cdoubleu. Thank you.

nikolaglumac commented 3 years ago

OK I will notify the web team! Thanks!

cdoubleu commented 3 years ago

Hi @cdoubleu.

I hope that you are well and thank you for contacting us. Could I check that what you saw was similar to the following:

Screenshot 2021-03-04 at 09 31 42

If it is, then the signature is ours, has been verified and can be trusted.

The reason why the expected behaviour on Step 7 is different than what you saw was due to the fact that we are using a 3rd party software "GPG Suite" to verify signatures. Any updates/changes on the 3rd party software is beyond our control. Unfortunately, the expected behaviour on Step 7 is expecting users to use the old version of "GPG Suite".

Therefore, I'd suggest that we update the instruction to reflect "GPG Suite" new behaviour cc: @nikolaglumac

In the meantime, let us know please if we have solved your issue @cdoubleu. Thank you.

It's close to what I saw. Same dialogue, but the messaging that I received is not the same. Here's what I received.

Trusted signature IOHK Signing Authority signing.authority@iohk.io 9F98 40B5 0AE5 39A2 732C  F646 C131 557F 1471 941A

The part that has me concerned is the trust level. i.e. "Trusted Signature" vs what you show "Fully Trusted Signature" with the additional "This signature can be trusted" at the bottom.

Can I trust the result I received from verifying the signature?

miorsufianiohk commented 3 years ago

Hi @cdoubleu ,

I hope that you are well and thank you for contacting us again.

I have conducted some investigation and found out that the reason why you received different dialog was because you had the latest version of GPG Services (Version 2.1), whereas the one that I used before was GPG Services (Version 2.0). Upon upgrading to GPG Services (2.1), I received exactly the same dialog as yours (please see screenshot).

Screenshot 2021-03-05 at 09 30 36

Therefore, if the above dialog matches what you received, rest assured that the signature has been verified as genuine.

I hope this helps. Should you need any further assistance please do not hesitate to contact us again. cc: @nikolaglumac

Kind regards, Mior

cdoubleu commented 3 years ago

@miorsufianiohk Thank you for tracking this down. I'll continue my installation.

I'd like to point you to a discussion that I found on the Cardano forums. It might be a good idea to check in there and let other users know of this issue.

https://forum.cardano.org/t/daedalus-wallet-catalyst-pgp-signature-verification/44925/19

Cheers,

cdoubleu

miorsufianiohk commented 3 years ago

Hi @cdoubleu,

I hope that you are well.

Thank you for the reply and I am glad that we managed to help you out. Thank you also for letting us know about the forum discussion. I believe the forum and the instruction page are currently being dealt with.

In the meantime, if you require further assistance please do not hesitate to contact us again. cc: @nikolaglumac

Kind regards, Mior