Verify and print protocol document

The Setup Protocol is used to prepare hardware, and download and verify needed software & documentation.

The first thing we need to do is verify the integrity of the CryptoGlacier protocol document (the one you are reading) to ensure that it has not been tampered with. After verifying the document, we’ll print a hardcopy.

Printing is important, because a verified electronic copy will not be accessible at all times during protocol execution due to reboots and other changes to the computing environment. Printing a hardcopy ensures there is always a verified copy of the document available.

Each signatory will need to do the following:

1. Find a computer which has Internet access, printer access, and which you have permission to install new software on. We’ll refer to this computer as the “SETUP 1” computer.
2. Review the errata for the version of Glacier you are using at https://github.com/vogelito/CryptoGlacierProtocol/releases.
3. Download the latest full release of CryptoGlacier (not just the protocol document) at https://github.com/vogelito/CryptoGlacierProtocol/releases.
4. If your browser does not automatically extract the ZIP file contents into a folder within your downloads directory, do so.
5. Rename the folder to “cryptoglacier”.
6. If you have used CryptoGlacier before, and you know you have the CryptoGlacier public key imported into a local GPG keyring, skip the next step. (If you don’t know, that’s fine; proceed as normal.)

7. Obtain the CryptoGlacier “public key,” used to cryptographically verify the protocol document.

   If you are ever using CryptoGlacier in the future and notice that this step has changed (or that this warning has been removed), there is a security risk. Stop and seek assistance.

   1. Access CryptoGlacier’s Keybase profile at https://keybase.io/vogelito.
   2. Click the string of letters and numbers next to the key icon.
   3. In the pop-up that appears, locate the link reading “this key”.
   4. Right-click the link and select “Save Link As…” or “Download Linked File As…”
   5. Name the file “cryptoglacier.asc”.

8. Download and install GnuPG, the software we’ll use for doing the cryptographic verification. See tech details.

   1. Windows: Download and install the latest available version of Gpg4win. Use the default options.
   2. macOS: Download and install the latest available version of GPG Suite.
   3. Linux: GnuPG comes pre-installed with Linux distributions.

9. Open a terminal window:

   1. Windows: Press Windows-R, type “powershell” and click OK.
   2. macOS: Click the Searchlight (magnifying glass) icon in the menu bar, and type a terminal window. “terminal”. Select the Terminal application from the search results.
   3. Linux: Varies; on Ubuntu, press Ctrl-Alt-T.

10. Change the terminal window’s active folder to your downloads folder. The commands below are based on common default settings; if you put your downloads is in a different place, you will need to customize this command.

    1. Windows: > cd $HOME/Downloads/cryptoglacier
    2. macOS: $ cd $HOME/Downloads/cryptoglacier
    3. Linux: $ cd $HOME/Downloads/cryptoglacier

11. Verify the integrity of the downloaded document.

    1. Import the CryptoGlacier public key into your local GPG installation:

       $ gpg --import $HOME/Downloads/cryptoglacier.asc
       

    2. Use the public key to verify that the Glacier “fingerprint file” is legitimate:

       $ gpg --verify SHA256SUMS.sig SHA256SUMS
       

       Expected output (timestamp will vary, but e-mail and fingerprint should match):

       gpg: Signature made Thu Jun 20 18:01:31 2019 CDT
       gpg:                using RSA key 3378240146B53C307FBA4B0D97F10485CCBACA30
       gpg: Good signature from "Daniel Vogel <vogel@bitso.com>" [unknown]
       gpg:                 aka "Daniel Vogel <dvogel@cs.stanford.edu>" [unknown]
       gpg: WARNING: This key is not certified with a trusted signature!
       gpg:          There is no indication that the signature belongs to the owner.
       Primary key fingerprint: 3378 2401 46B5 3C30 7FBA  4B0D 97F1 0485 CCBA CA30
       

       The warning message is expected, and is not cause for alarm.

    3. Verify the fingerprints in the fingerprint file match the fingerprints of the downloaded Glacier files.

       1. On Linux or Mac:

          Linux: $ sha256sum -c SHA256SUMS 2>&1

          Mac: $ shasum -a 256 -c SHA256SUMS 2>&1

          Expected output:

           CryptoGlacier.pdf: OK
           README.md: OK
           mnemonic_entropy.py: OK
           package.json: OK
           package-lock.json: OK
           setup.js: OK
          

       2. On Windows 10:

           > Get-FileHash -a sha256 CryptoGlacier.pdf
           > cat SHA256SUMS | select-string -pattern "CryptoGlacier.pdf"
          

          Ensure that the hash output from the first command matches the output by the second command. Upper/lower case doesn’t matter.

    4. If you do not see the expected output, your copy of the document has not been verified. Stop and seek assistance.

12. Switch to use the new document.

    1. Open the version of the document that you just verified.
    2. Close this window (of the unverified version of the document you had been using).
    3. Delete the old, unverified copy of the document.
13. Print the verified document.

You are strongly encouraged to use the printed copy as a checklist, physically marking off each step as you complete it. This reduces the risk of execution error by ensuring you don’t lose your place.