search

trezor / trezord-go

:smiling_imp: Trezor Communication Daemon (written in Go)
GNU Lesser General Public License v3.0
245 stars 146 forks source link

Document package verification process #184

Open VojtechMyslivec opened 4 years ago

VojtechMyslivec commented 4 years ago

Although (debian) packages are signed with GPG, there is no documentation how to verify such signatures or packages respectively. Proper GPG keyid is also not documented or published.

This process should be documented, probably on wiki, so any Trezor user can verify downloaded package before installation.

VojtechMyslivec commented 4 years ago

Documentation for a Debian package verification should look like:

Package verification

DEB package

  1. Install required tools

    $ apt install gnupg dpkg-sig

  2. Import signing key

    $ gpg --recv-keys 86E6792FC27BFD478860C11091F3B339B9A02A3D

    TODO:

    • Double-check used keyID
    • Probably include proper --keyserver ... as well

  3. Verify the package

    $ dpkg-sig --verify trezor-bridge_latest_amd64.deb

  4. Install the package

    # dpkg --install trezor-bridge_latest_amd64.deb

RPM package

macOS package

...

Windows package

...