Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add verification steps to README #612

Merged
merged 2 commits into from
Feb 21, 2023
Merged

Add verification steps to README #612

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
92c6a34
add verification steps to README
handshake-enthusiast Feb 19, 2023
eaed372
Merge branch 'master' into add-verification-steps-to-readme
rithvikvibhu Feb 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,26 @@ For macOS users, Bob is also available through the [Homebrew](https://github.com
brew install kyokan-bob
```

### Verify downloaded binaries

1. Download a _SHA256SUMS.asc_ file included into the release
2. Paste the file's content into https://keybase.io/verify and click "Verify"
3. Make sure the file's signer is a trusted signer mentioned in [SECURITY.md](SECURITY.md#trusted-pgp-keys)
4. Compare a checksum of a downloaded Bob Wallet app file:
```
# Linux
sha256sum Bob-2.0.0.AppImage

# Windows
certUtil -hashfile Bob-2.0.0.msi SHA256

# macOS
shasum -a 256 Bob-2.0.0-x86.dmg
shasum -a 256 bob-2.0.0-arm64.dmg
```

For more details and more advanced PGP signature verification see https://github.com/kyokan/bob-wallet/pull/612.

## Uninstall

Bob Wallet can be uninstalled from your OS apps list. This _does not_ delete any blockchain and wallet data.
Expand Down Expand Up @@ -145,7 +165,7 @@ Please report issues using Github issues on this repo. Please file bugs with the

### Security Issues

Please don't report security issues on GitHub. Instead, send an e-mail to dtsui [at] kyokan [dot] io (`4096R/395CD3B2`) describing your issue.
See [SECURITY.md](SECURITY.md#reporting-a-vulnerability).

## License

Expand Down
29 changes: 29 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Security Policy

## Supported Versions

Please see [Releases](https://github.com/kyokan/bob-wallet/releases).
We recommend using the [most recently released version](https://github.com/kyokan/bob-wallet/releases/latest).

## Reporting a Vulnerability

Please don't report security issues on GitHub. Instead, send an e-mail to dtsui [at] kyokan [dot] io (`4096R/395CD3B2`) describing your issue.

## Trusted PGP keys

The following keys may be used to sign release binaries:

| Name | Fingerprint | Full Key |
|------------------------------------------------------------------|------------------------------------------|---------------------------------|
| Matthew Slipper ([@mslipper](https://github.com/mslipper)) | 35C01D01A57FA04D9F2FF89DCB951614D58D3841 | https://keybase.io/mslipper |
| Rithvik Vibhu ([@rithvikvibhu](https://github.com/rithvikvibhu)) | 0393D7636C08EFA8A781F9CDE85101DF1682E27F | https://keybase.io/rithvikvibhu |

You can also import a key by running the following command with an individual’s fingerprint:

`gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "<fingerprint>"`

To import the full set:
```
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "35C01D01A57FA04D9F2FF89DCB951614D58D3841"
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "0393D7636C08EFA8A781F9CDE85101DF1682E27F"
```