Don't Trust . Verify Trezor suite binaries not just the signature file

T-rex · January 6, 2024, 7:13am

Hi Trezor Team,

Great Tutorial online to verify that the signature key matches the signature file using GPG and terminal on Mac.

However,how to Verify the sha256 of the Trezor suite software file is indeed in the signed hashes file ?

Appreciate if you could share the command line prompt

Many thanks

matejcik · January 6, 2024, 7:39am

that’s what the gpg verification does.

you can try yourself: delete the Suite executable, keep the signature file, and try to run the verification

T-rex · January 6, 2024, 10:18am

thank you for the quick reply.

My understanding is that
downloads gpg --verify Trezor-Suite-23.12.3-mac-x64.dmg.asc
gpg: assuming signed data in ‘Trezor-Suite-23.12.3-mac-x64.dmg’
gpg: Signature made 三 12/20 02:22:26 2023 HKT
gpg: using RSA key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C
gpg: Good signature from “SatoshiLabs 2021 Signing Key” [ultimate]

Tells you that the fingerprint of the signature key satoshilabs-2021-signing-key.asc match the hash file.Trezor-Suite-23.12.3-mac-x64.dmg.asc

But how to verify that the Hash file Trezor-Suite-23.12.3-mac-x64.dmg.asc is actually the hash of the software Trezor-Suite-23.12.3-mac-x64.dmg ?

Seems to me that we have 3 files but gpg check the integrity of only two as I don;t see any reference to the executable itself in the command line… first time using terminal so apologies if I am missing something

thank you

matejcik · January 6, 2024, 12:25pm

That’s not correct.

High-level, what is going on is that a signer (owner of the key “SatoshiLabs 2021”) produced a signature (the .asc file) of some data (contents of .dmg).
The verification command (gpg --verify) ensures that the three pieces of data go together: it was this signer who produced this signature of this data.

The output actually tells you:

Again, you can easily check that this is actually happening. Change the contents of the .dmg file, for instance, download an older Suite and rename it to Trezor-Suite-23.12.3-mac-x64.dmg. The verification will fail, because the data will not match the signature.

T-rex · January 6, 2024, 12:35pm

thank you for spending the time to educate me on this, I thought the gpg – verify was just checking that the signature was produced by the signer and didn;t check the content of .dmg,

Now I understand that gpg --verify ensure that the three pieces of data go together.

Thank you so much