search

nerdvibe / clorio-client

💰 A Mina Protocol Wallet - The most used Mina Protocol wallet.
Apache License 2.0
65 stars 11 forks source link

Checksums for 1.0.0 release say SHA-512 but are actually SHA-256 #79

Closed enolan closed 2 years ago

enolan commented 2 years ago

Here, hashes for some of the release builds are given:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

40ece73a7d63fe3db268f1752f227a2172f69c2bbbcc895b110dc52c7d205556  Clorio-Wallet-1.0.0.AppImage
6c61ddca0130b25ac8fa1fb082d216487b212f173efdb605740f6d156536fb89  Clorio-Wallet-1.0.0.dmg
a27c7fb65c1ee8355221649c18f6fc74d4feecddf5aa92ee6f0c0a289f8962e4  Clorio-Wallet.exe
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.1.13
Comment: https://keybase.io/crypto

wsBcBAABCgAGBQJiAaoTAAoJEH53gjdzK6PJE8IIALc+5tVXTYvQrUB30XaZfCu0
7TMPkUbN0lQol75GuIxK3ltn3NXtr27lpNH1fp3OQSZDQ5GwgMANWJNcde8hCKAi
JMFf5s78MH9uiyXckgBXkYb+OaLBycd5YKs2hnvY60qLOYDHRZRn0pmDuT8iA1J4
8iphy1J6y4tLExrhepN0hb5tgvMrE3SCuayIHtZ7Gu3zNGccjKxEvvhR5Xmd8X3j
BjviHX3USKtBNyfOHmc/b+Zg0hf6+fKjYAADnUYf3tMUQSDB2exYu/xc5lOKHwov
pJ2+DVBYN/QYok/gWmptFzV+ORo0xT85eSo+x0tWQdlV6b7Xz8VvW7rDocQOZoQ=
=srPr
-----END PGP SIGNATURE-----

Those are SHA-256 hashes, not 512:

enolan@mondorio ~> sha512sum Downloads/Clorio-Wallet-1.0.0.AppImage 
43cfb3982c38f1715b3c69ea2c90f09a441fc383b9459f4d946ad7c93ed48de93983c2350c6b0b1b3c69fd7882c06ebc6ebd0c333e7d8ca4c16d6af9db23b095  Downloads/Clorio-Wallet-1.0.0.AppImage
enolan@mondorio ~> sha256sum Downloads/Clorio-Wallet-1.0.0.AppImage 
40ece73a7d63fe3db268f1752f227a2172f69c2bbbcc895b110dc52c7d205556  Downloads/Clorio-Wallet-1.0.0.AppImage

At least for the AppImage.

nerdvibe commented 2 years ago

Hey @enolan , sorry for the late reply. I just realized about this message.

I think there is a misunderstanding...

To fully verify the authenticity of the app, there are 2 steps to be done:

1) Verify that the message is signed by carbonaracrypto ( https://keybase.io/carbonaracrypto).

In order to do so, you copy the whole message into https://keybase.io/verify (sha512). This proves that the checksums are not manipulated by third parties and signed by me.

2) After you verified that the checksums are authentic and not tampered, you can proceed in verifying the checksum of the app. (sha256)

image