Verifying Binaries

Overview

What is a binary?

Binaries are often the most convenient method for users to install software.

A binary is a machine-language formatted file that a computer can read and execute. Programmers usually don’t write software in machine-language. Instead, they write code in human-readable programming languages like Go, JavaScript, C, or Python, known as source code. Advanced users and programmers can compile the source code to create an executable binary.

For non-programmers who don’t want to download compilers to run software, they can simply download a pre-compiled binary executable. This binary file has been compiled from the source code into a stand-alone program by someone else.

The Importance of Verifying Binaries Before Execution

It’s crucial not to blindly trust a binary’s safety, even when downloaded from a reputable website.

Running a binary compiled by someone else means placing trust in the compiler. This has inherent risks, as binary code isn’t human-readable, making it impossible to know if the binary was compiled from the actual source code or if the source code was tampered with by an attacker.

Imagine an attacker creating malware disguised as an ExchangeCoin binary. They could attempt to deceive you into running their malware through fake download locations, phishing, or a Man-in-the-middle attack. Even when downloading from a trusted source (like GitHub), an attacker might intercept and replace the download with malware. Running the binary without verification exposes you to security risks.

To safeguard yourself, always confirm that the binary is genuine ExchangeCoin software.

How to Ensure a Binary Hasn’t Been Tampered With?

The core concept of file verification is based on hashing. The ExchangeCoin project enhances this by using GnuPG to sign their hashes, ensuring that the files originate from ExchangeCoin.

When the ExchangeCoin project compiles source code into binaries, each binary is hashed using SHA-256. The hashes are stored in a manifest.txt file, which is then signed using ExchangeCoin’s public GnuPG key, creating a unique signature file, manifest.txt.asc.

To confirm that your downloaded binary matches the ExchangeCoin project’s binary release, follow these steps:

Verify the manifest is directly signed by the ExchangeCoin project: Download the manifest.txt and signature manifest.txt.asc. Use GnuPG to check the signature against the public ExchangeCoin release signing key.
SUCCESS: Matching signatures indicate that the manifest is from the ExchangeCoin project, and the hashes within it are reliable.
FAIL: Mismatched signatures mean your manifest isn’t the official ExchangeCoin project manifest. Do not proceed, delete the files, and address any security issues before trying again.
Verify the binary hash aligns with the manifest hash: Hash your downloaded binary and ensure its hash corresponds with the hash in the ExchangeCoin project’s manifest.txt.
SUCCESS: If your hash matches the manifest’s hash, you can trust and run the binary.
FAIL: If your hash doesn’t match, your binary doesn’t correspond with the ExchangeCoin project’s official binary release. Do not proceed, delete the binary, and address any security issues before trying again.

Detailed Instructions

Preliminary Steps

First, go to the ExchangeCoin releases page and download:

The binary installer for your specific OS / architecture
The file manifest and hashes, ending in -manifest.txt
The signature for the manifest, ending in -manifest.txt.asc

Also, make sure GnuPG is installed:

On Windows, install GnuPG with the latest version of gpg4win.
On macOS, install GnuPG with the latest version of GPGTools.
On Linux, GnuPG is installed by default.

With GnuPG installed, the following instructions will work from any terminal on Windows, macOS, or Linux/UNIX

Add the ExchangeCoin project’s release public keys to your GnuPG keyring

You only need to do this step one time, so you can skip this step when verifying later releases on the same computer.

There are several ways to import the ExchangeCoin release public keys into GnuPG. The most direct method is to use the ASCII Key Block below:

ExchangeCoin Team PGP ASCII Key Block (click to expand)

Simply copy that entire text, save it as key.txt, and open a terminal.

In the terminal, use the cd command to navigate to the directory path where you’ve saved key.txt. Then use the gpg --import command.

(Note that Windows uses \ for directory paths, but Linux/macOS use /)

$ cd /path/to/the/key
$ gpg --import < key.txt

You can then delete key.txt.

You could also skip the entire “save it as a file” step and just type gpg --import, press enter so you’re on a new line, then paste the raw text of the key block directly into your terminal. enter again for a new line, Ctrl + Z and enter on Windows or Ctrl + D on Linux, and you’re done.

Example output:

gpg: key 9AEB846958227764: "ExchangeCoin Team (The Official ExchangeCoin Team PGP Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Just to confirm, you can check if the ExchangeCoin release public keys are on your GnuPG keyring:

$ gpg --list-keys [email protected]

Example output:

pub   rsa4096 2023-04-07 [SC]
      9DD10FAFB2A53E14BEF1B10D9AEB846958227764
uid           [ultimate] ExchangeCoin Team (The Official ExchangeCoin Team PGP Key) <[email protected]>
sub   rsa4096 2023-04-07 [E]

Verify that the manifest was directly signed by the ExchangeCoin project

If you have the ExchangeCoin project’s release public keys on your GnuPG keyring, you can verify if the signature for the manifest was created by the ExchangeCoin release signing key. In a terminal, navigate to where you saved both the manifest.txt and the manifest.txt.asc. Then ask GnuPG to verify the signed manifest, like so:

$ gpg --verify <your manifest.txt.asc file>

For example, if you wanted to verify exilibrium-v1.7.6-manifest.txt.asc:

$ gpg --verify exilibrium-v1.7.6-manifest.txt.asc

Example output:

gpg: Signature made Wed 19 Apr 2023 09:19:22 AM CEST
gpg:                using RSA key 9DD10FAFB2A53E14BEF1B10D9AEB846958227764
gpg: Good signature from "ExchangeCoin Team (The Official ExchangeCoin Team PGP Key) <[email protected]>" [ultimate]

If you see Good signature from "ExchangeCoin Team (The Official ExchangeCoin Team PGP Key) <[email protected]>, then you’re successful! You can trust that the manifest.txt came directly from the ExchangeCoin project.

The WARNING shown is not a problem. It just means you haven’t told GnuPG that you want to trust ExchangeCoin.

Verify that the binary hash matches the manifest hash

Now that you know you can trust the manifest.txt, open it and view the SHA-256 hashes. Find the row for the binary (or zip of binaries) you’re interested in. The first 64 characters are the “correct” hash from the ExchangeCoin project. You want to check your binary and make sure you get the same hash.

There are many ways to generate a SHA-256 hash, but here are a few:

WindowsmacOSLinux

If you have 7-Zip installed, simply open up Windows Explorer, right click on the binary file, mouseover CRC SHA, then click SHA-256.

In a terminal:

$ certutil -hashfile <your binary file> SHA256

In a terminal:

$ shasum -a 256 <your binary file>

In a terminal:

$ sha256sum <your binary file>

Example output:

7a65be7284486710d7f49f4c5f01381c876eac8686ce324efbe173b165e99bcb  exilibrium-linux-x86_64.AppImage

If your output hash matches the hash from the manifest, you’re done! The binary for your platform is now verified, and you can be confident it was generated by the ExchangeCoin Project. It’s safe to install the software.

Links for further reading

https://gnupg.org/gph/en/manual.html#CONCEPTS

https://alexcabal.com/creating-the-perfect-gpg-keypair