add verification steps to README

Useful comprehensive guides: - https://www.reddit.com/r/Bitcoin/wiki/verifying_bitcoin_core - https://bitcoincore.org/en/download/ - https://bitcoin.stackexchange.com/questions/50185/how-to-verify-bitcoin-core-release-signing-keys - https://www.getmonero.org/resources/user-guides/verification-allos-advanced.html - https://docs.wasabiwallet.io/using-wasabi/InstallPackage.html - https://help.ubuntu.com/community/HowToSHA256SUM Re: - kyokan#436 - kyokan#280 - kyokan#478 (comment) - kyokan#214 This new section could be linked/included into release tags. [ci skip]
handshake-enthusiast · Feb 19, 2023 · 502f87c · 502f87c
1 parent 2c4c376
commit 502f87c
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -24,6 +24,26 @@ For macOS users, Bob is also available through the [Homebrew](https://github.com
 brew install kyokan-bob
 ```
 
+### Verify downloaded binaries
+
+1. Download a _SHA256SUMS.asc_ file included into the release
+2. Paste the file's content into https://keybase.io/verify and click "Verify"
+3. Make sure the file's signer is a trusted signer mentioned in [SECURITY.md](SECURITY.md#trusted-pgp-keys)
+4. Compare a checksum of a downloaded Bob Wallet app file:
+```
+# Linux
+sha256sum Bob-2.0.0.AppImage
+
+# Windows
+certUtil -hashfile Bob-2.0.0.msi SHA256
+
+# macOS
+shasum -a 256 Bob-2.0.0-x86.dmg
+shasum -a 256 bob-2.0.0-arm64.dmg
+```
+
+For more details and more advanced PGP signature verification see https://github.com/kyokan/bob-wallet/pull/607.
+
 ## Uninstall
 
 Bob Wallet can be uninstalled from your OS apps list. This _does not_ delete any blockchain and wallet data.
@@ -145,7 +165,7 @@ Please report issues using Github issues on this repo. Please file bugs with the
 
 ### Security Issues
 
-Please don't report security issues on GitHub. Instead, send an e-mail to dtsui [at] kyokan [dot] io (`4096R/395CD3B2`) describing your issue.
+See [SECURITY.md](SECURITY.md#reporting-a-vulnerability).
 
 ## License
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+Please see [Releases](https://github.com/kyokan/bob-wallet/releases).  
+We recommend using the [most recently released version](https://github.com/kyokan/bob-wallet/releases/latest).
+
+## Reporting a Vulnerability
+
+Please don't report security issues on GitHub. Instead, send an e-mail to dtsui [at] kyokan [dot] io (`4096R/395CD3B2`) describing your issue.
+
+## Trusted PGP keys
+
+The following keys may be used to sign release binaries:
+
+| Name                                                             | Fingerprint                              | Full Key                        |
+|------------------------------------------------------------------|------------------------------------------|---------------------------------|
+| Matthew Slipper ([@mslipper](https://github.com/mslipper))       | 35C01D01A57FA04D9F2FF89DCB951614D58D3841 | https://keybase.io/mslipper     |
+| Rithvik Vibhu ([@rithvikvibhu](https://github.com/rithvikvibhu)) | 0393D7636C08EFA8A781F9CDE85101DF1682E27F | https://keybase.io/rithvikvibhu |
+
+You can also import a key by running the following command with an individual’s fingerprint:
+
+`gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "<fingerprint>"`
+
+To import the full set:
+```
+gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "35C01D01A57FA04D9F2FF89DCB951614D58D3841"
+gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "0393D7636C08EFA8A781F9CDE85101DF1682E27F"
+```