diff --git a/docs/binary_verification.md b/docs/binary_verification.md new file mode 100644 index 0000000..5da28a8 --- /dev/null +++ b/docs/binary_verification.md @@ -0,0 +1,97 @@ +# Verifying the released binaries + +This guide explains how to verify the integrity of Specter firmware binaries on the command line of your OS. + +## Files needed to verify +- `initial_firmware_v.bin` - Binary with secure bootloader. Use for upgrading from versions below 1.4.0 or first-time upload +- `specter_upgrade_v.bin` - For regular upgrades (after you have once done a first-time upload) +- `sha256.signed.txt` - Contains the expected hashes of the binaries, which are signed by the specter team + +> **Note:** Replace `` with your actual firmware version (e.g., 1.9.0) + +Download these files for the release you want to use from the Specter DIY repository: https://github.com/cryptoadvance/specter-diy/releases + +## Linux Verification + +### Prerequisites +```bash +# GPG is usually pre-installed. If not: +sudo apt-get install gnupg # Debian/Ubuntu +sudo dnf install gnupg2 # Fedora +``` + +### Verification Steps + +**1. Import Stepan's PGP key:** +```bash +curl -s https://stepansnigirev.com/ss-specter-release.asc | gpg --import +``` + +**2. Verify the signature of sha256.signed.txt:** +```bash +gpg --verify sha256.signed.txt +``` +✓ Look for "Good signature from" message + +**3. Verify the hash of the binary:** +```bash +sha256sum -c sha256.signed.txt --ignore-missing +``` +✓ Should show "OK" for the binary file(s) + +## macOS Verification + +### Prerequisites +```bash +# Install GPG via Homebrew +brew install gnupg +``` + +### Verification Steps + +**1. Import Stepan's PGP key:** +```bash +curl -s https://stepansnigirev.com/ss-specter-release.asc | gpg --import +``` + +**2. Verify the signature of sha256.signed.txt:** +```bash +gpg --verify sha256.signed.txt +``` +✓ Look for "Good signature from" message + +**3. Verify the hash of the binary:** +```bash +shasum -a 256 -c sha256.signed.txt --ignore-missing +``` +✓ Should show "OK" for the binary file(s) + +--- + +## Windows Verification + +### Prerequisites +1. Download and install [Gpg4win](https://gpg4win.org/download.html) +2. After installation, open PowerShell or Command Prompt + +### Verification Steps + +**1. Import Stepan's PGP key:** +```powershell +curl.exe -s https://stepansnigirev.com/ss-specter-release.asc -o stepan-key.asc +gpg --import stepan-key.asc +``` + +**2. Verify the signature of sha256.signed.txt:** +```powershell +gpg --verify sha256.signed.txt +``` +✓ Look for "Good signature from" message + +**3. Verify the hash of the binary:** +```cmd +certutil -hashfile initial_firmware_v.bin SHA256 +certutil -hashfile specter_upgrade_v.bin SHA256 +``` +Then manually compare the outputs with the hashes in sha256.signed.txt. They need to be the same. + diff --git a/docs/quickstart.md b/docs/quickstart.md index 441e54d..1a1067d 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -7,8 +7,7 @@ With the secure bootloader initial installation of the firmware is slightly diff **Note** If you don't want to use binaries from the releases check out the [bootloader documentation](https://github.com/cryptoadvance/specter-bootloader/blob/master/doc/selfsigned.md) that explains how to compile and configure it to use your public keys instead of ours. - If you are upgrading from versions below `1.4.0` or uploading the firmware for the first time, use the `initial_firmware_.bin` from the [releases](https://github.com/cryptoadvance/specter-diy/releases) page. - - Verify the signature of the `sha256.signed.txt` file against [Stepan's PGP key](https://stepansnigirev.com/ss-specter-release.asc) - - Verify the hash of the `initial_firmware_.bin` against the hash stored in the `sha256.signed.txt` + - Verify the [integrity of the downloaded binaries](./binary_verification.md) against the hash in `sha256.signed.txt` and against [Stepan's PGP key](https://stepansnigirev.com/ss-specter-release.asc) - If you are upgrading from an empty bootloader or you see the bootloader error message that firmware is not valid, check out the next section - [Flashing signed Specter firmware](#flashing-signed-specter-firmware). - Make sure the [power jumper](./assembly.md) of your discovery board is at STLK position - Connect the discovery board to your computer via the **miniUSB** cable on the top of the board.