Don't Trust, Verify. (Thanks to Coinkite's @NVK)

Verifying the the release .zip file's hash and signature requires intermediate to advanced computer skills. It uses extra tools and adds steps, but if want to be certain that the package you've acquired is legitimate and not tampered with, you're probably security-conscious. In that case, you may find the extra effort to be worth the peace of mind you'll get from knowing your documents and CAD files are safe and correct.

Note: PGP signature verification requires GPG. Debian and other Linux distributions include GPG. Mac and Windows users who have not already installed GPG will need to do so. Operating system-specific instructions contain links to tool downloads.

 

Verifying on Mac

These instructions use GPG Keychain, a component of the GPG Suite from GPGTools.

Confirm the Hash

  1. Open signatures.txt so you can view its contents.
  2. Open Terminal, navigate to the directory where you saved the .zip file and use the command shasum -a256 Dagny Dagger FOS Release x.x.x.zip (Replace x.x.x with appropriate version number).
  3. Resize or reposition the windows so you can see both the Terminal and signatures.txt file at the same time.
  4. Compare the output values in Terminal with the line of text in the signatures.txt file next to the .zip file version you saved. The hash is confirmed if the values are the same.

Verify the PGP Signature

  1. Save the signatures.txt file in the same location as the new .zip file.
  2. Save the public key BB4B64FFC4AD5CE5FB50275FD4681C315B2AEB28 as a new-pubkey.txt file in the same location as the .zip and signatures.txt files.
  3. Open GPG Keychain.
  4. Click the Import button and navigate to new-pubkey.txt. Select the file and click Open. A pop-up message should appear saying "Import successful".
  5. Open Terminal and enter gpg --verify signatures.txt.
  6. The output in Terminal should include Good signature from.... It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. You may ignore the warning, the signature is verified.

Once the hash and signature are verified, you can be confident that your zip file is legitimate and and has not been tampered with.

Optionally, you can also verify the timestamp of the signatures.txt file by going to https://opentimestamps.org/ and uploading signatures.txt.ots and then uploading your signatures.txt file.

 

Verifying on Linux

Confirm the Hash

  1. Open signatures.txt so you can view its contents.
  2. Use the command line to navigate to the directory where you saved the .zip and enter the command sha256sum Dagny Dagger FOS Release x.x.x.zip (Replace x.x.x with appropriate version number).
  3. Resize or reposition the windows so you can see both the command output and signatures.txt file at the same time.
  4. Compare the output value from the command with the line of text in the signatures.txt file next to the .zip version you saved. The hash is confirmed if the values are the same.

Verify the PGP Signature

  1. Save the signatures.txt file in the same location as the open source package .zip file.
  2. On the command line, enter curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd4681c315b2aeb28" | gpg --import to import the public key.
  3. Next, enter gpg --verify signatures.txt to verify the file's signature versus its content.
  4. The command output should include Good signature from.... It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. You may ignore the warning, the signature is verified.

Once the hash and signature are verified, you can be confident that your zip file is legitimate and and has not been tampered with.

Optionally, you can also verify the timestamp of the signatures.txt file by going to https://opentimestamps.org/ and uploading signatures.txt.ots and then uploading your signatures.txt file.

 

Verifying on Windows

These instructions use Kleopatra, which is a part of Gpg4win (GNU Privacy Guard for Windows). You only need the GnuPG Privacy Guard and Kleopatra components to verify the PGP signature.

Kleopatra requires you to have an OpenPGP signature to complete verification. If you don't have a signature to import, you can make one in Kleopatra.

Confirm the Hash

  1. Open signatures.txt so you can view its contents.
  2. Open Command Prompt and enter certutil -hashfile 'C:\..\Dagny Dagger FOS Release x.x.x.zip' SHA256, where C:\..\Dagny Dagger FOS Release x.x.x.zip is the full path to the accordingly named and saved .zip file.
  3. Resize or reposition the windows so you can see both the Command Prompt output and signatures.txt file at the same time.
  4. Compare the output values in Command Prompt with the line of text in the signatures.txt file next to the .zip version you saved. The hash is confirmed if the values are the same.

Verify the PGP Signature

  1. Save the text from signatures.txt in the same location as the saved .zip file.
  2. Save the public key BB4B64FFC4AD5CE5FB50275FD4681C315B2AEB28 as an .asc file in the same location as the .zip and signatures.txt files.
  3. Open a browser and go to keybase.io/michaelr. Click on the text next to the key icon to open the public key window. You will need this window for a later step.
  4. Open Kleopatra and click Import....
  5. Navigate to the public key .asc file and open it.
  6. You will be asked to check the fingerprint of the file and given suggested options. The Keybase public key window is the trusted website. Click Yes.
  7. A Certify Certificate window will show the file's fingerprint, your certification, and the fingerprint's owner. Resize or reposition the Certify Certificate window and the browser window opened in step 3 so you can see them both at the same time.
  8. Make sure the fingerprints in each window match and click Certify. If you have a passphrase on your certificate, you'll be asked to enter it. A pop-up box should appear saying, "Certification successful." Click Ok.
  9. Click Decrypt/Verify... and open signatures.asc.
  10. Kleopatra will verify the signature. You may save or discard the file Kleopatra generates, it is not needed. The signature is verified.

Once the hash and signature are verified, you can be confident that your zip file is legitimate and and has not been tampered with.

Optionally, you can also verify the timestamp of the signatures.txt file by going to https://opentimestamps.org/ and uploading signatures.txt.ots and then uploading your signatures.txt file.