Improve guide for App release verification

[fabooowy]

@jstrnbrg @benma cc @NickeZ

Yesterday I checked the App's signature for the first time.

Here my takeaways and pains with osx version:

-Wanted to verify the sha checksum. did not find out what it is and gave up after 5min.
So I clicked signature and got directed to github : )

In github the first step is less clear than on guides:

Get benma's public key:

Not knowing better, I saw https... intentionally behaved like an idiot and pasted the string in the browser for fun. nonsense of course. I pasted the keybase string only in the browser, copied the pubkey and then got prompted by gpg keychain that there is a pubkey to import, which worked.

Solution:

To get benma's public key, execute in command line, eg. in Terminal on osx:
curl https://keybase.io/benma/pgp_keys.asc?fingerprint=2260e48288882c76afaa319d67a2b160f74db275 | gpg --import

What I should have seen according to the guide:

gpg --verify BitBox-4.13.1-macOS.zip.asc
gpg: assuming signed data in 'BitBox-4.13.1-macOS.zip'
gpg: Signature made <DATE AND TIME>
gpg:                using RSA key 2D8876810AB092E451DCA894804538928C37EAE8
gpg: Good signature from "Marko Bencun <marko@shiftcrypto.ch>" [ultimate]
gpg:                 aka "Marko Bencun <mbencun+pgp@gmail.com>" [ultimate]

What I saw:

gpg: Signatur vom Do 20 Feb 12:21:53 2020 CET mittels RSA-Schlüssel ID 8C37EAE8
gpg: Korrekte Signatur von "Marko Bencun <marko@shiftcrypto.ch>" [unbekannt]
gpg:                     alias "Marko Bencun <mbencun+pgp@gmail.com>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 2260 E482 8888 2C76 AFAA  319D 67A2 B160 F74D B275
Unter-Fingerabdruck  = 2D88 7681 0AB0 92E4 51DC  A894 8045 3892 8C37 EAE8
fabian:~ itz$ 

Feelings:

-I don't see ID 8C37EAE8 in github :(
-I see marko@shiftcrypto.ch : )
-I see mbencun+pgp@gmail.com :)
-I see a warning :(
-I see fingerprints and go to pgp keychain to see the same : / > :)

I wonder if something could be done to reduce the amount of :( ?

After having done this for 10 min, I feel somewhat ok. but not really sure because of the warning and the to me unknown ID 8C37EAE8.

---

On the guides it reads:

Place BitBoxApp and .asc file in separate folder
Create a new folder and move both, the uninstalled/unzipped BitBoxApp file and the .asc file into that folder.

By "separate folder" I did not understand one folder but separate folders (my brain added plural)
Also this step is only needed if the downloads go in different folders which is by default not the case.

Proposed solution for both guides and github (mac osx):

-Before unzipping, make sure the downloaded app and the .asc file are in the same folder, likely your Downloads folder.
-Copy the path of the .asc file by right clicking the file and selecting: "Dienste">copy path
-Write gpg --verify in the console and paste the copied path of the. asc file, for example:
gpg --verify /Users/"YourName"/Downloads/BitBox-4.17.1-macOS.zip.asc

---

Just some ideas : )

[benma]

Awesome, thanks for the detailed report.

In general, I am not sure how perfect the guides can be. You are witnessing the bazillion UX issues around OpenPGP, which makes it one of the worst tools in existence to use. Maybe it's best to disclaim in the guide that PGP knowledge is a prerequisite and link to tutorials?

What I should have seen according to the guide: [...] What I saw...

Too bad different platforms/gpg versions don't produce the exact same output, but how to fix the docs about that? The message does say that the signature is correct "Korrekte Signatur von ...".

Note that in the guides:

(The [ultimate] could say [unknown] or something else depending on your trust level.)

Since you did not verify my key (or have a web of trust chain to my key), it says that the key is unknown to you. ("Dieser Schlüssel trägt keine vertrauenswürdige Signatur!").

-I don't see ID 8C37EAE8 in github :(

One of the UX issues. Your copy of pgp outputs the subkey Unter-Fingerabdruck = 2D88 7681 0AB0 92E4 51DC A894 8045 3892 8C37 EAE8 (the signing key), and also it's short ID 8C37EAE8 (the last 8 chars of the signing key).

I added the info to the instructions at https://github.com/digitalbitbox/bitbox-wallet-app/releases/tag/v4.17.1 (@jstrnbrg copy to guides?).

In the end none of them even matters I think. What matters is that the main key and email are trustworthy, and that is a whole different story :(

-I see a warning :(

See above.

About the folders: over at https://github.com/digitalbitbox/bitbox-wallet-app/releases/tag/v4.17.1 it does say Download the app for your platform and the corresponding .asc file and place them in the same folder.. @jstrnbrg pls adjust the guide to make it clearer.

[fabooowy]

Thanks for the fast answer @benma : )

[fabooowy]

@benma, I was looking for ID 8C37EAE8 in gpg Keychain, thanks to learn its the last characters of the signing key.