Oddbean new post about | logout
alfred | 4 months ago (raw) | root | parent | reply | flag 
 The user-side upgrade process verifies that the firmware checksums match.

The actual cryptographic verification (i.e. "this firmware is official")  is done by the Coldcard bootloader during the install process, since you should never trust the computer anyway.
joe | 4 months ago (raw) | root | parent | reply | flag 
 But no pgp verification? Where do you get the "good" checksum to compare against?
joe | 4 months ago (raw) | root | parent | reply | flag 
 Nm I'm an idiot and conflated checksum with hash. So no verification?
alfred | 4 months ago (raw) | root | parent | reply | flag 
 From Coinkite's official list of releases:

https://raw.githubusercontent.com/Coldcard/firmware/master/releases/signatures.txt

The PGP verification is done by the device itself.