Skip to content

Commit

Permalink
Merge pull request #56 from HorizenOfficial/release/v1.2.10-beta
Browse files Browse the repository at this point in the history
Release desktop-v1.2.10-beta:
  • Loading branch information
cronicc authored Apr 7, 2021
2 parents 258d445 + 3d021e0 commit 263e931
Show file tree
Hide file tree
Showing 3 changed files with 171 additions and 1 deletion.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
## [1.2.10-beta](https://github.com/HorizenOfficial/Sphere_by_Horizen/releases/tag/desktop-v1.2.10-beta)
### Changed
- Upgraded the bundled Zend to 2.0.23
### Bugfix
- Fix withdraw password check on batch withdraw
- Fix password strength help text on login dialog

## [1.2.9-beta](https://github.com/HorizenOfficial/Sphere_by_Horizen/releases/tag/desktop-v1.2.9-beta)
### Changed
- Security fix
Expand Down
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

**Please follow the upgrade guides for [Windows](https://horizenofficial.atlassian.net/wiki/spaces/ZEN/pages/1136263172/Sphere+by+Horizen+-+Upgrade+Restore+Windows) or [macOS](https://horizenofficial.atlassian.net/wiki/spaces/ZEN/pages/714309893/Sphere+by+Horizen+-+Upgrade+Restore+Mac+Linux).**

**Latest Version:** [v1.2.9-beta](https://github.com/HorizenOfficial/Sphere_by_Horizen/releases/tag/desktop-v1.2.9-beta)
**Latest Version:** [v1.2.10-beta](https://github.com/HorizenOfficial/Sphere_by_Horizen/releases/tag/desktop-v1.2.10-beta)

For a list of changes implemented in this version, please view the [changelog](CHANGELOG.md).

Expand Down Expand Up @@ -54,6 +54,9 @@ Sphere by Horizen is envisioned as a launching point for Horizen services. The [

* Due to the size of the blockchain at this point we would recommend keeping a minimum of 30GB of storage space free. This requirement will increase over time with blockchain growth.

## Verifying authenticity of installer files
* It is highly recommended to verify the authenticty of the downloaded files before installing them by checking the PGP signatures. Alternatively you can verify the file integrity by calculating the checksums. You may do so by following the instructions provided [here](https://github.com/HorizenOfficial/Sphere_by_Horizen/blob/desktop-v1.2.10-beta/VERIFY_AUTHENTICITY.md).

## Installation instructions

* All installers are available here [https://github.com/HorizenOfficial/Sphere_by_Horizen/releases/latest](https://github.com/HorizenOfficial/Sphere_by_Horizen/releases/latest)
Expand Down
160 changes: 160 additions & 0 deletions VERIFY_AUTHENTICITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
# Verifying Installer Files

It is highly recommended to verify the authenticty of the downloaded files before installing them by checking the PGP signatures. Alternatively you can verify the file integrity by calculating the checksums. You may do so by following the instructions provided here.

## Windows
### Verify File Authenticity
1. Download Sphere_by_Horizen-1.2.10-beta.exe and Sphere_by_Horizen-1.2.10-beta.exe.asc and store the files in your Downloads folder.
2. Download the GNUPG package from https://www.gpg4win.org/get-gpg4win.html
3. Proceed with the installation and launch Kleopatra.
4. Unless you already have a personal GPG key, you will have to create one (required for step 6):
- Select the menu item File -> New keypair -> Create a personal OpenPGP key pair.
- Enter a name and an email address that suit you personally.
- Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use GNUPG in future).
5. Import the key used to sign releases:
- File -> Lookup on Server
- Allow network access to 'dirmngr', if the prompt arises
- Search for [email protected]
- Select and import the key
- Do not certify the key just yet
- Right-click on the key, and choose "Details"
- Ensure that the fingerprint is 219F 5574 0BBF 7A1C E368 BA45 FB70 53CE 4991 B669
- If it's not, the wrong key was imported, right click and delete
- If it is, we are good to go
6. Certify the key (this designates trust and is required for the next step):
- Once you have a personal GPG key, right-click on the imported key and choose Certify
- Enable the user ID
- Tick the I have verified the fingerprint checkbox (since you did, as per step 5), and proceed.
- You should receive a message saying Certification successful
7. Verify the installer binary:
- Click the Decrypt/Verify button on the Kleopatra toolbar
- Choose the Downloads\Sphere_by_Horizen-1.2.10-beta.exe file in the file dialog (the .asc signature file must reside in the same directory)
8. If the verification is successful, you will receive a green-tinted message box saying:
- Valid signature by [email protected]
- Date of signature
- With certificate 219F 5574 0BBF 7A1C E368 BA45 FB70 53CE 4991 B669
- Anything else would constitute a signature verification failure.
### Verify File Integrity
1. Download Sphere_by_Horizen-1.2.10-beta.exe and Sphere_by_Horizen-1.2.10-beta.exe.sha256 and store the files in your Downloads folder
2. Open a PowerShell window
3. Verify the checksums by copy/pasting the following commands:
```
cd ~\Downloads
$targetHash = (Get-Content -Path Sphere_by_Horizen-1.2.10-beta.exe.sha256 -Delimiter " ")[0].Trim()
$fileName = (Get-Content -Path Sphere_by_Horizen-1.2.10-beta.exe.sha256 -Delimiter " ")[2].Trim()
if ($(certutil -hashfile $fileName SHA256)[1] -replace " ","" -eq $targetHash) {
Write-Host $fileName": OK"
} else {
Write-Host $fileName": FAILED`nWARNING: 1 computed checksum did NOT match"
}
```
4. The output of the command should equal:
```
Sphere_by_Horizen-1.2.10-beta.exe: OK
```

## MacOS
### Verify File Authenticity
1. Download Sphere_by_Horizen-1.2.10-beta.dmg and Sphere_by_Horizen-1.2.10-beta.dmg.asc and store the files in your Downloads folder.
2. If you already have the GPG Suite installed, and a personal key generated, please skip to step 5, and if not, proceed with the next step.
3. Go to https://gpgtools.org, head to the GPG Suite section, download the .dmg file and install it:
- Right-click the .dmg file, then Open, which will open a new window with two icons: Install and Uninstall
- Right-click the Install icon, and choose Open with.. -> Installer, which should start the GPG Suite installer
- Follow through the installation wizard
4. Once GPG Suite installation completes, it will ask you to create a new key pair (this is required for step 6, so please don’t skip it):
- Enter a name and an email that suit you personally.
- Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use this key and GPG Suite in future).
5. Import the key used to sign releases:
- Select Key -> Lookup Key on Key Server in the application menu
- Search for [email protected]
- Choose the key with fingerprint 4991B669 with the user ID "cronic <[email protected]>", then click Retrieve Key
- Verify (right-click the imported key, then Details) that the fingerprint of the imported key is 219F 5574 0BBF 7A1C E368 BA45 FB70 53CE 4991 B669
- If it’s not, the wrong key was imported, right-click and delete
- If it is, we are good to proceed with the next step.
6. Sign the imported key (this designates trust and is required for the next step):
- Right-click on the imported key, then "Sign".
7. Verify the installer binary:
- Right-click the Sphere_by_Horizen-1.2.10-beta.dmg file in Finder (do NOT right click on the .asc file, that will not work), then select Services -> OpenPGP: Verify Signature of File (the .asc signature file must reside in the same directory)
- The Verification Results dialog will then appear with the verdict:
```
Trusted signature
cronic <[email protected]>
219F 5574 0BBF 7A1C E368 BA45 FB70 53CE 4991 B669
```
- Anything different means there was no valid signature for the installer.
### Verify File Integrity
1. Download Sphere_by_Horizen-1.2.10-beta.dmg and Sphere_by_Horizen-1.2.10-beta.dmg.sha256 and store the files in your Downloads folder
2. Open a Terminal window
3. Verify the checksums by copy/pasting the following command:
```
cd ~/Downloads \
&& shasum -a256 -c Sphere_by_Horizen-1.2.10-beta.dmg.sha256
```
4. The output of the command should equal:
```
Sphere_by_Horizen-1.2.10-beta.dmg: OK
```

## Linux
### Verify File Authenticity
1. Download Sphere_by_Horizen-1.2.10-beta.deb and Sphere_by_Horizen-1.2.10-beta.deb.asc and store the files in your Downloads folder for Debian based systems, or Sphere_by_Horizen-1.2.10-beta.AppImage and Sphere_by_Horizen-1.2.10-beta.AppImage.asc and store the files in your Downloads folder for all other Linux systems.
2. Ensure that the gpg2 command is available (assuming Ubuntu Linux) in your shell, and if not execute the following shell command:
```
sudo apt-get update \
&& sudo apt-get install gnupg2 dirmngr
```
3. Unless you already have a personal GPG key, create one (this is required for step 5):
```
gpg2 --generate-key
```
- Supply a user ID (real name and email) that suit you personally
- Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use this key and GNUPG in future)
4. Import the key used to sign releases:
```
gpg2 --keyserver hkp://pool.sks-keyservers.net --recv-keys 219F55740BBF7A1CE368BA45FB7053CE4991B669
```
- The output of the command should show:
```
gpg: key FB7053CE4991B669: public key "cronic <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
```
5. Sign the key (this designates trust and is required for the next step):
```
gpg2 --lsign 219F55740BBF7A1CE368BA45FB7053CE4991B669
```
6. Verify the installer binary using the .asc signature (the .asc signature file must reside in the same directory as the installer binary):
```
cd ~/Downloads \
&& gpg2 --verify Sphere_by_Horizen-1.2.10-beta.*.asc
```
- Successful verification should produce a message like follows:
```
gpg: assuming signed data in 'Sphere_by_Horizen-1.2.10-beta.{extension}'
gpg: Signature made Fri Apr 2 14:10:01 2021 UTC
gpg: using RSA key FB7053CE4991B669
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2023-04-06
gpg: Good signature from "cronic <[email protected]>" [full]
gpg: aka "cronic <[email protected]>" [full]
gpg: aka "cronic <[email protected]>" [full]
gpg: aka "cronic <[email protected]>" [full]
```
### Verify File Integrity
1. Download Sphere_by_Horizen-1.2.10-beta.deb and Sphere_by_Horizen-1.2.10-beta.deb.sha256 and store the files in your Downloads folder for Debian based systems, or Sphere_by_Horizen-1.2.10-beta.AppImage and Sphere_by_Horizen-1.2.10-beta.AppImage.sha256 and store the files in your Downloads folder for all other Linux systems.
2. Open a Terminal window
3. Verify the checksums by copy/pasting the following command:
```
cd ~/Downloads \
&& sha256sum -c Sphere_by_Horizen-1.2.10-beta.*.sha256
```
4. The output of the command should equal:
```
Sphere_by_Horizen-1.2.10-beta.{extension}: OK
```

0 comments on commit 263e931

Please sign in to comment.