WasabiDoc
WasabiDoc copied to clipboard
WalletWasabi
sudo gpg/gpg2 public key prompts for password
Instructions: https://docs.wasabiwallet.io/using-wasabi/InstallPackage.html#macos
So I write the command for my case as: sudo gpg2 --import ~/Downloads/zkSNACKsPubKey.txt
and then: sudo gpg --import ~/Downloads/zkSNACKsPubKey.txt
both of which returned a password prompt, but I could not find that password is mentioned in the instructions.
It's asking for your computer admin password, this is because of the sudo command.
BTW, I've no experience with Mac, does it require admin privileges to import PGP key?
I am not familiar with it either. The dmg package is signed with apple's method, that is why gatekeeper is letting you just run the application. If the signature would be invalid you could not run the app - that is why PGP verification is optional.
I am not familiar with how to check it on macOS but I would try this, but I cannot give you further assistance I was using only the Windows version of this software.
https://gpgtools.org/
Thanks PulpCattel and molnard!
I'm logged in as an admin, and I haven't tried using a non-admin login while importing a PGP key. I could try that tomorrow, or whenever I can log out, without losing work. Today I used GPG Keychain to import a key simply using the [email protected] address, however, I could not figure out what webpage to use to verify that signature, so i left it at ownertrust "unknown" for now.
molnard, as for the dmg package signed with apple's method, can i ask: What about Electrum--was that a signed dmg? Or was that another case of user error, installing from a prompt which led to a patch not on the electrum.org?
https://www.reddit.com/r/CryptoCurrency/comments/lz3cp8/bitcoin_btc_wallet_electrum_fake_macos_app_steals/
Back to the Terminal, yes, my main admin password did work:
Mac-mini:~ Teddy$ sudo gpg2 --import ~/Downloads/zkSNACKsPubKey.txt Password: Sorry, try again. Password: Sorry, try again. Password: gpg: WARNING: unsafe ownership on homedir '/Volumes/Data 1 10.13/Users/Teddy/.gnupg' gpg: key 856348328949861E: 3 signatures not checked due to missing keys gpg: key 856348328949861E: public key "zkSNACKs [email protected]" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2025-07-21 Mac-mini:~ Teddy$
I have no clue yet why "unsafe ownership" because I installed the .gnupg file while logged in;
Also, the "3 signatures not checked" error confuses me.
Any macOS questions -- just let me know, I'll do my best to answer. As best I know, Apple controls the security quite well for those apps downloaded from the App Store. When apps come from other places, user needs to approve the install manually in the Settings/Privacy of the MacOS, and unless there's something I missed, that process doesn't seem to check signatures; it simply prompts the user to be careful to only download from "good" sites --and leaves it up to the user to figure it out. Apple does encourage most users to just use the Apple Store.
So that's why all these command-line procedures can be fairly unfamiliar.
Specific Info on Apple's verification setup:
This morning I checked the keys on another app, and now when I went to open it, MacOS spent about 10 seconds "verifying" it (app is around 180mb in size) and threw up the dialog box:
[...] is an app downloaded from the Internet. Are you sure you want to open it? Firefox downloaded this file today at 10:07 AM from [url]. Apple checked it for malicious software and none was detected. Cancel//Show Web Page//Open
^ those are the 3 button choices. "Show Web Page" didn't succeed in this case. There's also an info "?" button, leading to a page in the user guide with basic tips to avoid malware; clicking a link in that leads to:
Protect your Mac from malware macOS has many features that help protect your Mac and your personal information from malicious software, or malware. One common way malware is distributed is by embedding it in a harmless-looking app.
You can reduce this risk by using software only from reliable sources. The settings in Security & Privacy preferences allow you to specify the sources of software installed on your Mac.
On your Mac, choose Apple menu > System Preferences, click Security & Privacy, then click General.
Open the General pane for me
Click the lock icon to unlock it, then enter an administrator name and password.
Select the sources from which you’ll allow software to be installed:
App Store: Allows apps only from the Mac App Store. This is the most secure setting. All the developers of apps in the Mac App Store are identified by Apple, and each app is reviewed before it’s accepted. macOS checks the app before it opens the first time to be certain it hasn’t been modified since the developer shipped it. If there’s ever a problem with an app, Apple removes it from the Mac App Store.
App Store and identified developers: Allows apps from the Mac App Store and apps from identified developers. Identified developers are registered with Apple and can optionally upload their apps to Apple for a security check. If problems occur with an app, Apple can revoke its authorization. macOS checks the app before it opens the first time to be certain it hasn’t been modified since the developer shipped it.
note: That last paragraph shows how it works with identified developers outside of the Mac App Store.
edited to try to remove oversize bold markdown.
Hey new friends, Teddy here: Just a quick P.S. summary of the above:
-
What is the meaning of my .gnupg hidden folder, apparently with "unsafe ownership?" I checked, and it is read/write available only to my admin login. To other logins, "no access."
-
"3 signatures not checked" was also part of the response to the zsnacks signature. What went wrong?
-
off-topic, but related to Apple's verification system for non-Apple App Store apps: Did someone spoof a faked Electrum dmg on the official server? https://www.reddit.com/r/CryptoCurrency/comments/lz3cp8/bitcoin_btc_wallet_electrum_fake_macos_app_steals/
Thanks PulpCattel and molnard!
I'm logged in as an admin, and I haven't tried using a non-admin login while importing a PGP key. I could try that tomorrow, or whenever I can log out, without losing work. Today I used GPG Keychain to import a key simply using the [email protected] address, however, I could not figure out what webpage to use to verify that signature, so i left it at ownertrust "unknown" for now.
molnard, as for the dmg package signed with apple's method, can i ask: What about Electrum--was that a signed dmg? Or was that another case of user error, installing from a prompt which led to a patch not on the electrum.org?
I don't know. It is mentioning "update" if it was some kind of internal procedure GateKeeper cannot detect that. Also the user can bypass the gatekeeper with some additional actions, like clicking with CMD+Click on the software and Choose the "Run Anyway" button. I don't know what happened there exactly.
In Wasabi case if the signature was not correct, the user gets a cannot start pop-up and that the end of the story - important note here, only if gatekeeper settings are on default!
You can take a look around here about verifying the signature with macOS in Terminal https://github.com/zkSNACKs/WalletWasabi/issues/958
About App Store https://github.com/zkSNACKs/WalletWasabi/pull/3042#issuecomment-597545484
zkSNACKs has a paid Apple developer license and we are using that to sign without that we would not be able to distribute.
We are doing this https://developer.apple.com/macos/distribution/
Look for "Outside the Mac App Store"
I'm not familiar with mac. Except for https://github.com/zkSNACKs/WasabiDoc/issues/1382, anything we should update there, @turbolay ?
