-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ====== How to Verify Litecoin GPG Signatures ======= Written by Adrian Gallagher on Friday, June 19th, 2015. Do not use these binary builds without verifying the GPG signatures! These instructions are for using the GnuPG command line tool which allows you to use a Litecoin team members key to verify that the downloads have not been tampered with. This guide will focus on using Adrian's GPG key however you can use this same process for verifying builds from another Litecoin development team member provided that you have their key ID. 1. Importing the GPG Public Key =============================== https://pgp.mit.edu/pks/lookup?op=get&search=0xFE3348877809386C You can download the public GPG key here and use "gpg --import ". Alternatively you can use the key servers to import the key with a single command with: gpg --recv-key FE3348877809386C 2. Check the Key Fingerprint ============================ $ gpg --fingerprint FE3348877809386C pub 2048R/7809386C 2013-06-19 Key fingerprint = 59CA F0E9 6F23 F537 4794 5FD4 FE33 4887 7809 386C uid Adrian Gallagher sub 2048R/6FB978EE 2013-06-19 3. Verify Filename and Filename.asc =================================== If you want to verify litecoin-0.10.2.2-win64-setup.exe, you download it and its corresponding litecoin-0.10.2.2-win64-setup.asc file then run the command gpg --verify litecoin-0.10.2.2-win64-setup.exe.asc For example, it should look something like this: $ gpg --verify litecoin-0.10.2.2-win64-setup.exe.asc gpg: Signature made 06/17/15 21:13:28 AUS Eastern Standard Time using RSA key ID7809386C gpg: Good signature from "Adrian Gallagher " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 59CA F0E9 6F23 F537 4794 5FD4 FE33 4887 7809 386C If the .asc file you downloaded contains the SHA256sums of multiple files, first verify that the .asc file is valid by using the same command above. Then open the .asc file using a text editor and note the sha256sum of the file you are after. Type sha256sum and verify that the sum matches the one in the .asc file. For example, .asc file contains: 124470d116f1a93b70ba5c43a8700113ae31d997b9fdfe7cb425af4e54e43d85 litecoin-0.10.2.2-win64-setup.exe $ sha256sum litecoin-0.10.2.2-win64-setup.exe 124470d116f1a93b70ba5c43a8700113ae31d997b9fdfe7cb425af4e54e43d85 *litecoin-0.10.2.2-win64-setup.exe For Windows, you can download a sha256sum command line application from http://www.labtestproject.com/files/win/sha256sum/sha256sum.exe. 4. Understanding the Verify Output ================================== * "Good signature" means the file is genuine. * "WARNING:" is standard because the GPG key has not been signed by yourself or any people that you trust. * You should verify that the key fingerprint matches the expected fingerprint. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVg6ysAAoJEP4zSId4CThsK9YH/39wWzibLd3eE2IqytjYkHzr u6Th6qYjua6qJo4SKKoUbzytwDdPXOusjU4kKkxEIBtWGLDajZ8IagO0A0qC4IUO TLTSrQnzFIKgWIaEuYbWIiwYamF+AMIRM4SLhGNLl8pZmC7tzJNgcJ4y7C/qD8Fr 6/+IAg0Oq52/5QFsKdTuqhOqeDJH88vGfqPxdA7yo0rCS0jtPlqiQpR2SkjDl9Uf W/oFAO5SxmoLzWXqzk9gOHRr+CUXZxsJpXIBegwFgKSFLcp7FOwxnwSehdyU2Thp Rf3ECohjRnghJKxLzHwwZss/X0PQjwUIeyZyqMszZRzmz4JtvCaPqA0k3v99bDo= =MX+L -----END PGP SIGNATURE-----