Skip to content

Instantly share code, notes, and snippets.

@kristovatlas

kristovatlas/README.md

Created April 16, 2018 01:22
Show Gist options
  • Save kristovatlas/0e850fdc6fb58da6eeb86c9669d01cb4 to your computer and use it in GitHub Desktop.
Save kristovatlas/0e850fdc6fb58da6eeb86c9669d01cb4 to your computer and use it in GitHub Desktop.
Download ZIP
How to verify Trezor Bridge on MacOS (and maybe other operating systems)
Raw
README.md

Background reading

Verification Steps

  1. Visit https://wallet.trezor.io/data/bridge/latest/index.html. For MacOS, you download a .pkg file.
  2. From https://wallet.trezor.io/data/bridge/latest/index.html also download the PGP signature file.
  3. The Satoshi Labs CTO signs the Bridge releases. Download his PGP key from his Keybase signature: https://keybase.io/stick This means at least that someone created an account with his identity and bothered to link a specific PGP key. If you retain this key over time, you can be sure that it wasn't recently swapped out. You can find same PGP under his identity in various places on the web: https://duckduckgo.com/?q=Pavol+Rusn%C3%A1k+pgp+key&ia=web
  4. Assuming you placed the .pkg and .pkg.asc files in Downloads, run the gpg command to verify:
$ gpg --verify trezor-bridge-2.0.12.pkg.asc
gpg: assuming signed data in 'trezor-bridge-2.0.12.pkg'
gpg: Signature made Tue Apr  3 10:38:05 2018 CDT using RSA key ID B9A02A3D
gpg: requesting key B9A02A3D from hkps server hkps.pool.sks-keyservers.net
gpg: key B9A02A3D: public key "Pavol Rusnák <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   7  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 7u
gpg: depth: 1  valid:   2  signed:   0  trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Pavol Rusnák <[email protected]>" [unknown]
gpg:                 aka "Pavol Rusnák <[email protected]>" [unknown]
gpg:                 aka "Pavol Rusnák <[email protected]>" [unknown]
gpg:                 aka "[jpeg image of size 2449]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 86E6 792F C27B FD47 8860  C110 91F3 B339 B9A0 2A3D
@adam-hurwitz
Copy link

adam-hurwitz commented Jul 2, 2021
edited
Loading

An error occurs on macOS: Can't check signature: No public key. Following the same steps works as intended for verifying the Trezor Suite desktop app download. Therefore, the issue seems likely due to the signing key.

Error
Error Message

Implementation

  1. Download the Trezor Bridge .pkg file from https://wallet.trezor.io/#/bridge.
  2. Download the PGP signature file from the link included in #1 https://wallet.trezor.io/data/bridge/2.0.27/trezor-bridge-2.0.27.pkg.asc
  3. Download the public signing key file from the link included in https://suite.trezor.io/, https://trezor.io/security/satoshilabs-2021-signing-key.asc.
  4. Import the signing key from #3 with gpg --import some_signing_key.asc
  5. Run the command gpg --verify some_sig_file.asc some_app_file.pkg with files from #1 - 3 saved in the same directory.

@adam-hurwitz
Copy link

According to Pavol Rusnak, Trezor CTO, "The [Trezor] Bridge is part of the [Trezor] Suite, so users will not have to install the Bridge separately anymore."

Trezor Suite is currently set to launch on 7/14/21.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment