Verifying Trezor suite binaries / signature – Setup, update Trezor suite
Guide to verify Trezor Suite: Trezor is one of the most secure cryptocurrency hardware wallet for your digital assets. Trezor Model One and Trezor Model T are the two most popular wallets that you can use to securely store your Bitcoin, Ethereum and 100s of other altcoins. While the device is simple to work with you cannot use it right away. To manage your hardware device that is to sign transaction and to manage all your cryptocurrencies stored in the device You’ll need a software wallet interface.
There are many secure software wallets that support communication with Trezor device. Two most popular choices are Electrum, and Exodus which is a third party interface. But the most used and the recommended app by Trezor is the Trezor’s very own software interface known as Trezor Suite.
Trezor suite is the official app by Trezor which provides an easy to use interface to manage your Trezor hardware wallet. This application is an open source software. It offers greater privacy and it gives you complete control over your Trezor device. Moreover it is available for Windows, Mac as well as Linux.
You can download Trezor suite either from the official website or from the GitHub page.
Official Website: https://trezor.io/trezor-suite
GitHub Link: https://github.com/trezor/trezor-suite/releases/
Downloading, setting up and using Trezor suite is fairly simple. But before you install and use the application it is very important that you verify its signature. That is you need to verify Trezor suite binaries.
Here in this beginners guide we’ll show you how to verify PGP signature / binaries of Trezor suite. But, wait?! Is this really necessary?
Why verify Trezor suite?
No matter which application you use your Trezor with. Whether it be electrum, Trezor suite or a closed source Exodus wallet. You do not need to be worried because your private keys are securely stored on the hardware wallet. They are completely offline and they are never revealed to any application that you connect with.
As long as the software which you are downloading is open source and is from the official website, you’re good to use it without verifying.
The software app is just an UI to manage your hardware device. All it holds is your xPub (public key) which is used to view transactions / balances and form unsigned tx’s. The software app cannot access your seed words and it cannot sign transaction without the approval of your hardware wallet. Your mnemonic seed is secured by the hardware wallet and only your hardware device can sign the transaction.
So it doesn’t really matter whether you verify Trezor suite or not. But doing so is a good security practice.
Also do note that there are many phishing websites and fake applications which can trick users into entering their seed word. For this reason it is better if you verify the integrity of the software downloads.
By verifying Trezor suite you are ensuring that the app you’ve downloaded is genuine and is not modified by some hacker.
Here is a step by step guide to verify Trezor suite signature on Windows, OSX and Linux.
Verify Trezor suite signature / binaries
Previously we’ve made a guide on verifying electrum signatures. If you’ve followed that guide then you should have the necessary application to verify PGP signatures.
Basically we’ll need GPG utility.
For Windows download Gpg4win: https://www.gpg4win.org/. When installing gpg4win make sure you’ve selected Kleopatra application which is what we’ll need to verify PGP signatures.
For OSX and Linux first download and install Homebrew: https://brew.sh/ and then install GPG suite no mail: https://formulae.brew.sh/cask/gpg-suite-no-mail. Installation command and the instructions on how to install is provided on the same page.
Once you have the necessary application installed start downloading the Trezor suite files. To verify Trezor suite signatures / binaries you’ll need three files that is the Trezor suite installer file, signature and the signing key.
The installer file, signature as well as the signing key is all available on the Trezor suite download page. Its under the download button.
Update: The website interface has changed. Drop down “other options” next to download link and you’ll find the Satoshi labs signing key and the signature.
Also it is available on GitHub as well.
https://github.com/trezor/trezor-suite/releases/
Make sure you’ve downloaded all three files to the same location.
Note: Trezor suite binaries are signed using the SatoshiLabs 2021 Signing Key currently which will change in the future. Also everytime a new version is released developer signs the installer files using their key. So whenever you are downloading or updating to a new version you’ll have to follow this procedure to verify the binaries.
For example if you are downloading Trezor-Suite-24.11.1-win.exe then along with that download Trezor-Suite-24.11.1-win.exe.asc file (signature file) and the satoshilabs-2021-signing-key.asc.
Alright! Now that you have all the files lets verify the application.
How to verify Trezor suite binaries? (Windows)
- Open Kleopatra. Go to program files (x86) >> Gpg4win >> bin >> open kleopatra.exe file.
- In kleopatra choose file >> import >> browse and import the satoshilabs-2021-signing-key.asc.
- Optional: You can choose to mark the certificate as valid or leave it as not certified. Even if it is not certified you can still verify the binaries. Anyways if you wish to certify the satoshi labs signing key then you’ll first need your own open PGP certificate. Here is how to create your own certificate and certify developers key.
- Once the satoshilabs-2021-signing-key.asc is imported go to file >> Decrypt / Verify. Now browse the download folder again and double click the installer file. In this case it is Trezor-Suite-21.2.1-win.exe.
- Kleopatra will start verifying and show the result in few seconds.
If you’ve not verified the Satoshi Labs 2021 Signing Key you’ll get the following result.
Verified 'Trezor-Suite-21.2.1-win.exe' with 'Trezor-Suite-21.2.1-win.exe.asc': The data could not be verified. Signature created on Wednesday, February 10, 2021 8:20:09 PM With certificate: SatoshiLabs 2021 Signing Key (E21B 6950 A2EC B65C) The used key is not certified by you or any trusted person.
Do not worry about the “The data could not be verified” message. Click the audit tab and if it says Good signature from “SatoshiLabs 2021 Signing Key” then you are good to install.
If you’ve verified the Satoshi Labs 2021 Signing Key then you’ll get the following result.
It should say valid signature by SatoshiLabs 2021 Signing Key.
Verifying suite downloads (OSX and Linux)
- On Mac OS open Terminal window. On Linux open Linux Shell Prompt.
- Now in terminal window or on shell prompt type
cd ./Downloads
. Or navigate to the folder where you have all 3 downloaded files (Suite, Signing Key and Signature). - Next type
ls
in terminal windows / shell prompt which should list those downloaded files. - Then import satoshi labs signing key.
gpg --import satoshilabs-2021-signing-key.asc
- Next verify the signature.
Linux (shell prompt): gpg --verify Trezor-Suite-21.2.1-linux-x86_64.AppImage.asc
Mac (terminal window): gpg --verify Trezor-Suite-21.2.1-mac.dmg.asc
Now the command line should return positive match stating gpg: Good signature from “SatoshiLabs 2021 Signing Key” [unknown] along with the finger print of satoshi labs: EB48 3B26 B078 A4AA 1B6F 425E E21B 6950 A2EC B65C.
Ignore this warning:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner
In case if the download file is forged then the signature verification will fail and it should say fingerprint does not match.
That’s it! You’ve successfully verified Trezor suite. Now you are good to install or update and use the application.
Related Guides:
Where did you find satoshi labs’ fingerprint?