From ac1b3e3eb881758204a4e6232c0c0378e49871e4 Mon Sep 17 00:00:00 2001 From: maggo83 Date: Tue, 17 Feb 2026 11:11:06 +0100 Subject: [PATCH 1/2] Elaborated on how to verify binaries -To be more approachable also for not super technical experts, a step by step guide how to verify the hash and signature of the binaries for releases was added --- docs/binary_verification.md | 103 ++++++++++++++++++++++++++++++++++++ docs/quickstart.md | 3 +- 2 files changed, 104 insertions(+), 2 deletions(-) create mode 100644 docs/binary_verification.md diff --git a/docs/binary_verification.md b/docs/binary_verification.md new file mode 100644 index 00000000..3286e95f --- /dev/null +++ b/docs/binary_verification.md @@ -0,0 +1,103 @@ +# Verifying the released binaries + +This guide explains how to verify the integrity of Specter firmware binaries on the command line of your OS. + +## Files needed to verify +- `initial_firmware_v.bin` - Binary with secure bootloader. Use for upgrading from versions below 1.4.0 or first-time upload +- `specter_upgrade_v.bin` - For regular upgrades (after you have once done a first-time upload) +- `sha256.signed.txt` - Contains the expected hashes of the binaries, which are signed by the specter team + +> **Note:** Replace `` with your actual firmware version (e.g., 1.9.0) + +Download these files for the release you want to use from the Specter DIY repository: https://github.com/cryptoadvance/specter-diy/releases + +## Linux Verification + +### Prerequisites +```bash +# GPG is usually pre-installed. If not: +sudo apt-get install gnupg # Debian/Ubuntu +sudo dnf install gnupg2 # Fedora +``` + +### Verification Steps + +**1. Import Stepan's PGP key:** +```bash +curl -s https://stepansnigirev.com/ss-specter-release.asc | gpg --import +``` + +**2. Verify the signature of sha256.signed.txt:** +```bash +gpg --verify sha256.signed.txt +``` +✓ Look for "Good signature from" message + +**3. Verify the hash of the binary:** +```bash +sha256sum -c sha256.signed.txt --ignore-missing +``` +✓ Should show "OK" for the binary file(s) + +## macOS Verification + +### Prerequisites +```bash +# Install GPG via Homebrew +brew install gnupg +``` + +### Verification Steps + +**1. Import Stepan's PGP key:** +```bash +curl -s https://stepansnigirev.com/ss-specter-release.asc | gpg --import +``` + +**2. Verify the signature of sha256.signed.txt:** +```bash +gpg --verify sha256.signed.txt +``` +✓ Look for "Good signature from" message + +**3. Verify the hash of the binary:** +```bash +shasum -a 256 -c sha256.signed.txt --ignore-missing +``` +✓ Should show "OK" for the binary file(s) + +--- + +## Windows Verification + +### Prerequisites +1. Download and install [Gpg4win](https://gpg4win.org/download.html) +2. After installation, open PowerShell or Command Prompt + +### Verification Steps + +**1. Import Stepan's PGP key:** +```powershell +curl.exe -s https://stepansnigirev.com/ss-specter-release.asc -o stepan-key.asc +gpg --import stepan-key.asc +``` + +**2. Verify the signature of sha256.signed.txt:** +```powershell +gpg --verify sha256.signed.txt +``` +✓ Look for "Good signature from" message + +**3. Verify the hash of the binary:** + +**Option A - Using CertUtil:** +```cmd +certutil -hashfile initial_firmware_v.bin SHA256 +``` +Then manually compare the output with the hash in sha256.signed.txt. They need to be the same. + +**Option B - Using PowerShell:** +```powershell +(Get-FileHash initial_firmware_v.bin -Algorithm SHA256).Hash.ToLower() +``` +Then manually compare the output with the hash in sha256.signed.txt. They need to be the same. diff --git a/docs/quickstart.md b/docs/quickstart.md index 441e54d3..1a1067de 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -7,8 +7,7 @@ With the secure bootloader initial installation of the firmware is slightly diff **Note** If you don't want to use binaries from the releases check out the [bootloader documentation](https://github.com/cryptoadvance/specter-bootloader/blob/master/doc/selfsigned.md) that explains how to compile and configure it to use your public keys instead of ours. - If you are upgrading from versions below `1.4.0` or uploading the firmware for the first time, use the `initial_firmware_.bin` from the [releases](https://github.com/cryptoadvance/specter-diy/releases) page. - - Verify the signature of the `sha256.signed.txt` file against [Stepan's PGP key](https://stepansnigirev.com/ss-specter-release.asc) - - Verify the hash of the `initial_firmware_.bin` against the hash stored in the `sha256.signed.txt` + - Verify the [integrity of the downloaded binaries](./binary_verification.md) against the hash in `sha256.signed.txt` and against [Stepan's PGP key](https://stepansnigirev.com/ss-specter-release.asc) - If you are upgrading from an empty bootloader or you see the bootloader error message that firmware is not valid, check out the next section - [Flashing signed Specter firmware](#flashing-signed-specter-firmware). - Make sure the [power jumper](./assembly.md) of your discovery board is at STLK position - Connect the discovery board to your computer via the **miniUSB** cable on the top of the board. From fd0e76ca11c29fd92ed203ff89dcf01cc0dc3f7d Mon Sep 17 00:00:00 2001 From: maggo83 Date: Tue, 17 Feb 2026 11:45:11 +0100 Subject: [PATCH 2/2] Simplified Win verification -every user has cmd and the cmd option works -> keep it simple -added explicitly both binaries to be checked (in Linux/Max this is handled in one command. For win a second call to sha256 is needed) --- docs/binary_verification.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/docs/binary_verification.md b/docs/binary_verification.md index 3286e95f..5da28a8b 100644 --- a/docs/binary_verification.md +++ b/docs/binary_verification.md @@ -89,15 +89,9 @@ gpg --verify sha256.signed.txt ✓ Look for "Good signature from" message **3. Verify the hash of the binary:** - -**Option A - Using CertUtil:** ```cmd certutil -hashfile initial_firmware_v.bin SHA256 +certutil -hashfile specter_upgrade_v.bin SHA256 ``` -Then manually compare the output with the hash in sha256.signed.txt. They need to be the same. +Then manually compare the outputs with the hashes in sha256.signed.txt. They need to be the same. -**Option B - Using PowerShell:** -```powershell -(Get-FileHash initial_firmware_v.bin -Algorithm SHA256).Hash.ToLower() -``` -Then manually compare the output with the hash in sha256.signed.txt. They need to be the same.