-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ====== How to Verify Litecoin GPG Signatures ======= Written by Warren Togami on Wednesday, July 31st, 2013. Do not use these binary builds without verifying the GPG signatures! These instructions are for using the GnuPG command line tool which allows you to use the Litecoin Dev Team GPG key to verify that the downloads have not been tampered with. 1. Understanding the Litecoin Dev Team GPG Key ============================================== http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xC37E4723969276F5 You can view the GPG keys that have signed the Litecoin Dev Team GPG key here. http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x657EB016521670C0 Mac builds are GPG often signed by the Mac dev's key. Click on the people to see other people who have signed their GPG key. This is the basis for the GPG Web-of-Trust, where people verify the identity of others. The better connected the signatures, the more trust 2. Importing the GPG Public Key =============================== http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC37E4723969276F5 You can download the public GPG key here and use "gpg --import ". http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x657EB016521670C0 Do the same thing for the Mac dev's key. Alternatively you can use the key servers to import the key with a single command with: gpg --recv-key C37E4723969276F5 gpg --recv-key 657EB016521670C0 3. Check the Key Fingerprint ============================ $ gpg --fingerprint C37E4723969276F5 pub 4096R/969276F5 2013-06-18 Key fingerprint = DC38 0DA4 3082 F163 78C9 7414 C37E 4723 9692 76F5 uid Litecoin Dev Team (Build Signing Key June 2013) sub 4096R/667A8C2A 2013-06-18 $ gpg --fingerprint 657EB016521670C0 pub 2048R/521670C0 2013-06-16 Key fingerprint = E084 FE30 5BDF 0C47 6F77 9792 657E B016 5216 70C0 uid Rama McIntosh sub 2048R/0349D0AD 2013-06-16 4. Verify Filename and Filename.asc =================================== If you want to verify litecoin-0.8.3.5-linux.tar.xz, you download it and its corresponding litecoin-0.8.3.5-linux.tar.xz.asc file then run the command gpg --verify litecoin-0.8.x.x-linux.tar.xz.asc For example, it should look something like this: $ gpg --verify litecoin-0.8.3.5-linux.tar.xz.asc gpg: Signature made Sat 13 Jul 2013 02:52:46 PM CEST using RSA key ID 969276F5 gpg: Good signature from "Litecoin Dev Team (Build Signing Key June 2013) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DC38 0DA4 3082 F163 78C9 7414 C37E 4723 9692 76F5 5. Understanding the Verify Output ================================== * "Good signature" means the file is genuine. * "WARNING:" is standard because the GPG key has not been signed by yourself or any people that you trust. * You should verify that the key fingerprint matches the expected fingerprint. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQQcBAEBCAAGBQJR+cA9AAoJELEXnrc0fcENlNIgALiTHIiu/5jc+RkAZbxBY3pG YNsxFp80XHDVlZRu8L1oQQeNn6QE5MejjWcZuoDGDjEss4Gw0cwkA19JkbncSkym VLIF4+f34GlcyJSkbHeBnURvfGnL2a75CEZyBrtaOo9rHSty1oMJW+lMCitf3UVO Mt3MQEMIlb9F5f31oWNL5po3n/4XqoNeJ1fd2mj+86V1zLnx+NhJm8xLXJEmTUUs MnCDrc4dYrDKoB3tmvzsOrSDm+VmHFdlnxX7+8ifOzFhTFxLiczEnOOWPIfI5sL8 c8u18Z19VgWa3sasKFPu1zRzyewvl+O4vvz8+fTLK50ESSYaRLe1IuBizbBgUuZL h2X+KlfWNKH9hrcKD0VLDhmSE1utFXmVdC3El6D1LaXb96qQ9/vDgx2GkjGh39W1 bn5eGfHtKS37zhSFD8/LpTlL4IQeisC+wvTJR43k+Q9AYsHv7BnLurw7af8Sxd1r XeVl5ku6MJGsZD4+vHVKQZpa84pTXwnfXt1jqBNrG5QB7U/TyR+21YadxXttnce9 YmJZRwQPPbh2fe8vg+fJDs0rBLcZrAqRcCBkdeR15xMbbjLdVnK55UdLVrbAteUF cvMDermnkTmxUv29YDnSDv1M6GzKZeuMtMak1sszxTUoKjtwiHgbJoQ+ARoGggnQ gHYytiZETcsNeKl0cpTzr36lNNhLkhekYKjz5umCpo2tYaCtq883rJ4EF7z0YLNl gGumnz7ZZ53r+/cKuB7wZJmWNnlKbdPPHY9S050r7QBf4+EFuCOTACsdubWAWHqk nOZUmNt091lqIP7bK7KTBhnljxCzAsWujJfdmjYGkPDSf455IFbP9xRPApRVU90r XeYnFViHcE7VERgnW3/lMVzY7fltnl17ibzYHXfXjjoH8P4Kf+e50PIIf/mAlqXz d+7R+hYdfh+pqgcp5ffF99dJAHQdGJ4cSxkdiYY+6P8HokO0wpuXg0ZRjj1g+KBY 8JjuFshjC5i1TK3QedbFyxaSc+U7/s2bpZGrobA8vxE1GYIAXh/bpsoPpvwLATjW CFIQLdWZDxkvYBxHmm5ZuPB9jc7fHWl7HFkxilzawcBV/pPGLeYJGwEuBZ2oxZDX aLDH+c0lsLnevwRNy/Lipkf3gIDq+055U/rAHIweOVxHXuXSFzFqagVQsBHy+rVW t/XHpn2my5dbL3YprmKRMIv+FkBtBGmuFBwTKokUcyoQX+B5zQtwvCTMvG2oNpm6 E6Y6p7zQuKi4MZJ6X2AI5PjwlpHrgvVuhnwXmCY9OI4FmVpvtWaJwHPDp6a6nTbK 9WHdaMl3ZFYg8cBwrIvkdchTIhLNFGzHngdoTkyficfEyqFqWThQMJy/l7Jp1Mo= =wFPr -----END PGP SIGNATURE-----