- Visit https://wallet.trezor.io/data/bridge/latest/index.html. For MacOS, you download a .pkg file.
- From https://wallet.trezor.io/data/bridge/latest/index.html also download the PGP signature file.
- The Satoshi Labs CTO signs the Bridge releases. Download his PGP key from his Keybase signature: https://keybase.io/stick This means at least that someone created an account with his identity and bothered to link a specific PGP key. If you retain this key over time, you can be sure that it wasn't recently swapped out. You can find same PGP under his identity in various places on the web: https://duckduckgo.com/?q=Pavol+Rusn%C3%A1k+pgp+key&ia=web
- Assuming you placed the .pkg and .pkg.asc files in Downloads, run the gpg command to verify:
$ gpg --verify trezor-bridge-2.0.12.pkg.asc
gpg: assuming signed data in 'trezor-bridge-2.0.12.pkg'
gpg: Signature made Tue Apr 3 10:38:05 2018 CDT using RSA key ID B9A02A3D
gpg: requesting key B9A02A3D from hkps server hkps.pool.sks-keyservers.net
gpg: key B9A02A3D: public key "Pavol Rusnák <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 7 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 7u
gpg: depth: 1 valid: 2 signed: 0 trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: Good signature from "Pavol Rusnák <[email protected]>" [unknown]
gpg: aka "Pavol Rusnák <[email protected]>" [unknown]
gpg: aka "Pavol Rusnák <[email protected]>" [unknown]
gpg: aka "[jpeg image of size 2449]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 86E6 792F C27B FD47 8860 C110 91F3 B339 B9A0 2A3D
According to Pavol Rusnak, Trezor CTO, "The [Trezor] Bridge is part of the [Trezor] Suite, so users will not have to install the Bridge separately anymore."
Trezor Suite is currently set to launch on 7/14/21.