Skip to content

Documentation update: Elaborated on how to verify binaries #344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
maggo83 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Documentation update: Elaborated on how to verify binaries #344

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ac1b3e3
Elaborated on how to verify binaries
maggo83 Feb 17, 2026
fd0e76c
Simplified Win verification
maggo83 Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions docs/binary_verification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
# Verifying the released binaries

This guide explains how to verify the integrity of Specter firmware binaries on the command line of your OS.

## Files needed to verify
- `initial_firmware_v<version>.bin` - Binary with secure bootloader. Use for upgrading from versions below 1.4.0 or first-time upload
- `specter_upgrade_v<version>.bin` - For regular upgrades (after you have once done a first-time upload)
- `sha256.signed.txt` - Contains the expected hashes of the binaries, which are signed by the specter team

> **Note:** Replace `<version>` with your actual firmware version (e.g., 1.9.0)

Download these files for the release you want to use from the Specter DIY repository: https://github.com/cryptoadvance/specter-diy/releases

## Linux Verification

### Prerequisites
```bash
# GPG is usually pre-installed. If not:
sudo apt-get install gnupg # Debian/Ubuntu
sudo dnf install gnupg2 # Fedora
```

### Verification Steps

**1. Import Stepan's PGP key:**
```bash
curl -s https://stepansnigirev.com/ss-specter-release.asc | gpg --import
```

**2. Verify the signature of sha256.signed.txt:**
```bash
gpg --verify sha256.signed.txt
```
✓ Look for "Good signature from" message

**3. Verify the hash of the binary:**
```bash
sha256sum -c sha256.signed.txt --ignore-missing
```
✓ Should show "OK" for the binary file(s)

## macOS Verification

### Prerequisites
```bash
# Install GPG via Homebrew
brew install gnupg
```

### Verification Steps

**1. Import Stepan's PGP key:**
```bash
curl -s https://stepansnigirev.com/ss-specter-release.asc | gpg --import
```

**2. Verify the signature of sha256.signed.txt:**
```bash
gpg --verify sha256.signed.txt
```
✓ Look for "Good signature from" message

**3. Verify the hash of the binary:**
```bash
shasum -a 256 -c sha256.signed.txt --ignore-missing
```
✓ Should show "OK" for the binary file(s)

---

## Windows Verification

### Prerequisites
1. Download and install [Gpg4win](https://gpg4win.org/download.html)
2. After installation, open PowerShell or Command Prompt

### Verification Steps

**1. Import Stepan's PGP key:**
```powershell
curl.exe -s https://stepansnigirev.com/ss-specter-release.asc -o stepan-key.asc
gpg --import stepan-key.asc
```

**2. Verify the signature of sha256.signed.txt:**
```powershell
gpg --verify sha256.signed.txt
```
✓ Look for "Good signature from" message

**3. Verify the hash of the binary:**
```cmd
certutil -hashfile initial_firmware_v<version>.bin SHA256
certutil -hashfile specter_upgrade_v<version>.bin SHA256
```
Then manually compare the outputs with the hashes in sha256.signed.txt. They need to be the same.

3 changes: 1 addition & 2 deletions docs/quickstart.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,7 @@ With the secure bootloader initial installation of the firmware is slightly diff
**Note** If you don't want to use binaries from the releases check out the [bootloader documentation](https://github.com/cryptoadvance/specter-bootloader/blob/master/doc/selfsigned.md) that explains how to compile and configure it to use your public keys instead of ours.

- If you are upgrading from versions below `1.4.0` or uploading the firmware for the first time, use the `initial_firmware_<version>.bin` from the [releases](https://github.com/cryptoadvance/specter-diy/releases) page.
- Verify the signature of the `sha256.signed.txt` file against [Stepan's PGP key](https://stepansnigirev.com/ss-specter-release.asc)
- Verify the hash of the `initial_firmware_<version>.bin` against the hash stored in the `sha256.signed.txt`
- Verify the [integrity of the downloaded binaries](./binary_verification.md) against the hash in `sha256.signed.txt` and against [Stepan's PGP key](https://stepansnigirev.com/ss-specter-release.asc)
- If you are upgrading from an empty bootloader or you see the bootloader error message that firmware is not valid, check out the next section - [Flashing signed Specter firmware](#flashing-signed-specter-firmware).
- Make sure the [power jumper](./assembly.md) of your discovery board is at STLK position
- Connect the discovery board to your computer via the **miniUSB** cable on the top of the board.
Expand Down
Loading