How to Verify the Signature of Your Skycoin Wallet

Sorting out your GPG from your PGP to make sure you won’t be SOL…

Watch how it’s done, and use the links in the article below to follow along.

Download the wallet that corresponds to your operating system from Skycoin.net. Make sure your browser is using https, and don’t download the Skycoin wallet from any source other than skycoin.net! Since you will be holding valuable cryptocurrency in this wallet, verifying that it is not compromised in any way may be worth your time. The good news is that doing so is not difficult nor time consuming.

The “Signature” link is right next to each “Download” link.

After clicking the “download” link to get the wallet itself, click the “signature” link next to the wallet to download the signature file, too. Find them on your machine once they have downloaded. The signature file will have a .ASC extension. If you’re curious, you can open the .asc file in a text editor to view the GPG signature. (GPG, incidentally, stands for Gnu Privacy Guard.)

You will also need to install the GPG suite of tools in order to perform the signature verification correctly. Go to GPGTools.org on a Mac and GPG4win.org on Windows. (If you’re running Linux, chances are GPG tools are already installed.)

Once GPG is downloaded and installed, you will be able to verify signatures for your Skycoin wallet, as well as for any software that offers authentication signatures.

After the GPG Toolkit is finished installing, you’re ready to verify your wallet download. You will also need the public PGP key from Skycoin, which you can find on GitHub.

This is a screenshot from https://github.com/skycoin/skycoin#release-signing. PGP stands for Pretty Good Privacy.

Copy the PGP key, or keep it handy for the next step.

You’ll need to fire up a command line interface, like the Terminal app in the Utilities folder on a Mac. Begin by importing the Skycoin PGP key you copied from GitHub. You do this by typing a specific command followed by the PGP key:

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x5801631BD27C7874

This, or something similar, is what you will see after importing the PGP key.

Then you can verify that the fingerprint is correct with another command, again pasting Skycoin’s PGP key:

gpg --fingerprint 0x5801631BD27C7874

This will give you the public primary key (pub) the user-ID (uid), and public sub-key (sub) for that fingerprint. You will be able to verify for yourself that these match the fingerprint posted on GitHub.

You can verify that the public primary key matches the fingerprint on Skycoin’s GitHub page for release signing.

Next, in order to verify the signature of the download, enter:

gpg --verify [.asc file location]

I downloaded the wallet disk image (.dmg) and the Signature file (.asc) to my desktop. You only need to specify the location of the .asc file, it will find and verify the .dmg automatically if they are in the same directory.

…and then type the location of the .asc file, or if your application supports it, drag the .asc signature file you downloaded into the app to automatically paste its directory location. (Note: You should ensure the wallet download itself is also in the same directory.) Hit enter, and the verification is complete!

See the “Good Signature” message? You can also match the EDDSA key to the fingerprint from earlier. Don’t worry too much about the warning, as long as you were careful about where you got the wallet and the public key.

You’re looking for the “good signature” message. This means the download is authentic, and you can trust that it’s exactly the download that Skycoin wants you to have, and that it hasn’t been intercepted or tampered with.

You’ll also probably see a “WARNING” message indicating that the “key is not certified with a trusted signature”. All this means is that while GPG Tools verified the key was made by that signature, you need to decide if you trust that the website you downloaded from was actually skycoin.net, and that the fingerprint on Skycoin’s GitHub is also authentic.

Now you can finish installing the Skycoin wallet, assured that your purchased Skycoin will be safe and secure!

For Windows Users

This article included instructions for Mac computers. For Windows machines, the process works essentially the same way, but you would install GPG from GPG4win.org, use the “cmd.exe” app instead of Terminal, and just use the command gpg.exe in place of gpg when entering the text commands outlined in the article. Otherwise, the steps, commands, links, and public PGP key are the same regardless of operating system.

Important Links

Here are all the links you should need to download and verify your Skycoin wallet:

Download the Skycoin Wallet and Signature:
https://www.skycoin.net/downloads

Get Skycoin’s Public PGP key and Fingerprint:
https://github.com/skycoin/skycoin#release-signing

Download and install GPG Tools:
Mac: https://gpgtools.org
Windows: https://gpg4win.org/download.html

Follow signature verification instructions for your specific OS from the TOR project:
https://2019.www.torproject.org/docs/verifying-signatures.html.en

If you liked my writing and would like to contribute to me making more feel free to donate some Skycoin: GCB5KK9LmJzxxxh2hMoKm3HRXwaJe9vRfd