mirror of
https://github.com/bisq-network/bisq.git
synced 2024-11-19 09:52:23 +01:00
43 lines
1.9 KiB
Markdown
43 lines
1.9 KiB
Markdown
|
## Verification of Bisq updates
|
||
|
|
||
|
If you have Bisq already installed it is best to update from inside the Bisq application and let Bisq perform the
|
||
|
signature verification. The Bisq application contains the PGP keys used for signing and those will be compared to the
|
||
|
signing key from the Github download page and the Bisq webpage. This provides an additional layer of security compared
|
||
|
to downloading and verifying it via the Github page only.
|
||
|
|
||
|
For a detailed description on how to verify your Bisq installer please have a look at our
|
||
|
wiki: https://bisq.wiki/Downloading_and_installing#Verify_installer_file
|
||
|
|
||
|
### Signing key
|
||
|
|
||
|
Url of the signing key (Alejandro GarcĂa): https://bisq.network/pubkey/E222AA02.asc
|
||
|
Full fingerprint:
|
||
|
|
||
|
`B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02`
|
||
|
|
||
|
### Import the key:
|
||
|
|
||
|
`curl https://bisq.network/pubkey/E222AA02.asc | gpg --import`
|
||
|
|
||
|
GPG prints a confusion warning: "This key is not certified with a trusted signature!". You can ignore that or read up
|
||
|
at https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key for background information what it means.
|
||
|
|
||
|
### How to verify signatures?
|
||
|
|
||
|
`gpg --digest-algo SHA256 --verify BINARY{.asc*,}`
|
||
|
|
||
|
Replace BINARY with the file you downloaded (e.g. Bisq-1.9.11.dmg)
|
||
|
|
||
|
### Verify jar file inside binary:
|
||
|
|
||
|
You can verify on OSX the jar file with:
|
||
|
|
||
|
`shasum -a256 [PATH TO BISQ APP]/Bisq.app/Contents/app/desktop-1.9.11-all.jar`
|
||
|
|
||
|
The output need to match the value from the `Bisq-1.9.11.jar.txt` file.
|
||
|
|
||
|
There are three hashes within the Bisq-1.9.11.jar.txt file (macOS, Windows, Linux).
|
||
|
If you want to reproduce and verify the hash of the jar file locally, you need to do so on Windows or Linux using Java
|
||
|
15.0.9 and the v1.9.11 release tag. Because of the signing and notarization process that requires the developer
|
||
|
certificate used for the build on macOS it is not possible to create the same jar on macOS.
|