Verify DERO code and binaries release

It is good practice to verify the DERO binaries & match their checksum.

DERO GPG signed key ID: 18CDB3ED5E85D2D4.

1] Download Captain’s GPG public key which is used to sign the binaries checksum file & code.
wget https://raw.githubusercontent.com/deroproject/documentation/master/captainKEY2.asc

2] Import Captain’s GPG public & verify signature of imported key.
gpg --import captainKEY2.asc

gpg: key 0x18CDB3ED5E85D2D4: public key "Captain DeroProject (lotr824) <captain@dero.io>" imported                                                                              
gpg: Total number processed: 1                                                                                                                                                  
gpg:               imported: 1

3] Download GPG signed checksum file included with every release, mostly latest release.
wget https://github.com/deroproject/derohe/releases/latest/download/checksum.txt.asc

4] Verify the checksum file for any tamper or changes.

gpg --verify checksum.txt.asc 
gpg: Signature made Fri 10 Jun 2022 09:09:43 AM UTC
gpg:                using RSA key DED1FEF44297A15CAD9AE28318CDB3ED5E85D2D4
gpg: Good signature from "Captain DeroProject (lotr824) <captain@dero.io>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DED1 FEF4 4297 A15C AD9A  E283 18CD B3ED 5E85 D2D4
gpg: WARNING: not a detached signature; file 'checksum.txt' was NOT verified!

Above checksum file is verified & good.

Now verified the sha512 of the binary you have downloaded.
sha512sum dero_linux_amd64.tar.gz 288ec9af585d3cfb5c55b0a13eeed14f66a5551f6ed893cb4a214dc88f5336143a44367034b0c3c7bf85240f5b8ef450dcb376e1cb857546776261f6aa30f101 dero_linux_amd64.tar.gz

Above hash matches with hash in checksum.txt.asc file. So all good & verified.

Also code commits are signed on DERO Project Github repo, Please check for verified signature. Avoid using source code if commits are not green & GPG signed by above key.

2 Likes