add verification steps to README (#612)

kyokan · Feb 21, 2023 · c9b4c45 · c9b4c45
1 parent 3e95531
commit c9b4c45
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -24,6 +24,26 @@ For macOS users, Bob is also available through the [Homebrew](https://github.com
 brew install kyokan-bob
 ```
 
+### Verify downloaded binaries
+
+1. Download a _SHA256SUMS.asc_ file included into the release
+2. Paste the file's content into https://keybase.io/verify and click "Verify"
+3. Make sure the file's signer is a trusted signer mentioned in [SECURITY.md](SECURITY.md#trusted-pgp-keys)
+4. Compare a checksum of a downloaded Bob Wallet app file:
+```
+# Linux
+sha256sum Bob-2.0.0.AppImage
+
+# Windows
+certUtil -hashfile Bob-2.0.0.msi SHA256
+
+# macOS
+shasum -a 256 Bob-2.0.0-x86.dmg
+shasum -a 256 bob-2.0.0-arm64.dmg
+```
+
+For more details and more advanced PGP signature verification see https://github.com/kyokan/bob-wallet/pull/612.
+
 ## Uninstall
 
 Bob Wallet can be uninstalled from your OS apps list. This _does not_ delete any blockchain and wallet data.
@@ -145,7 +165,7 @@ Please report issues using Github issues on this repo. Please file bugs with the
 
 ### Security Issues
 
-Please don't report security issues on GitHub. Instead, send an e-mail to dtsui [at] kyokan [dot] io (`4096R/395CD3B2`) describing your issue.
+See [SECURITY.md](SECURITY.md#reporting-a-vulnerability).
 
 ## License
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+Please see [Releases](https://github.com/kyokan/bob-wallet/releases). 
+We recommend using the [most recently released version](https://github.com/kyokan/bob-wallet/releases/latest).
+
+## Reporting a Vulnerability
+
+Please don't report security issues on GitHub. Instead, send an e-mail to dtsui [at] kyokan [dot] io (`4096R/395CD3B2`) describing your issue.
+
+## Trusted PGP keys
+
+The following keys may be used to sign release binaries:
+
+| Name | Fingerprint | Full Key |
+|------------------------------------------------------------------|------------------------------------------|---------------------------------|
+| Matthew Slipper ([@mslipper](https://github.com/mslipper)) | 35C01D01A57FA04D9F2FF89DCB951614D58D3841 | https://keybase.io/mslipper |
+| Rithvik Vibhu ([@rithvikvibhu](https://github.com/rithvikvibhu)) | 0393D7636C08EFA8A781F9CDE85101DF1682E27F | https://keybase.io/rithvikvibhu |
+
+You can also import a key by running the following command with an individual’s fingerprint:
+
+`gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "<fingerprint>"`
+
+To import the full set:
+```
+gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "35C01D01A57FA04D9F2FF89DCB951614D58D3841"
+gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "0393D7636C08EFA8A781F9CDE85101DF1682E27F"
+```