Skip to main content

Verify LNPlay

It's important to verify the authenticity of the code you download and deploy. These instructions show you how!

Great! You've cloned the LNPlay git repo to your machine! You're well on your way to running your own LNPlay instance.

But before you do anything else, you really SHOULD VERIFY that the code you downloaded has been signed by the LNPlay maintainer key, farscapian. Here's his public gpg key.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mFIEAAAAABMIKoZIzj0DAQcCAwQ3hQeRT8HLyQEtKJ5C3dKilfWhSpqkPFtfuE0I
i+MNLavAM7tL9gShij7tEcyZe0Iy2hc38TizSlQJciIdgtHUtCJEZXJlayBTbWl0
aCA8ZGVyZWtAZmFyc2NhcGlhbi5jb20+iIAEExMIABwFAgAAAAACCwkCGwMEFQgJ
CgQWAgMBAheAAh4BABYJELRD5TChThyQCxpUUkVaT1ItR1BHXMcA/2k4QtiV0eNQ
299XW4Wvoac1Be6+WTPRIaC/PYnd0pR7AP4hi5ou6uyKtqkfhLtRQHN/9ny3MBEG
whGxb/bCIzOdILhWBAAAAAASCCqGSM49AwEHAgMEI0VBpCTeIpfdH2UcWiSPYGAJ
Z1Rsp0uKf6HzZnpGRAdCTNgCh+pVBibP0Cz0pNdM7IfHSfS+OP4/Lb1B5N9BSAMB
CAeIbQQYEwgACQUCAAAAAAIbDAAWCRC0Q+UwoU4ckAsaVFJFWk9SLUdQRxM4AQCw
m24svH13uNAebQurOloy/1qZgNdXANBQQ05oi1tEyAD/eGFFVdgs5L6Hpg/GJLvo
X8bd1+1sa2d9TldbgfNfRA0=
=vZGY
-----END PGP PUBLIC KEY BLOCK-----

Save it to a file then import it into your gpg public key store. You should see something like this:

ubuntu@ss-mgmt:~$ gpg --import farscapian.gpg 
gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
gpg: key B443E530A14E1C90: public key "Derek Smith <derek@farscapian.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Trust the key

It's useful to update your GPG settings so the key is fully trusted. That way when you download new updates and check the signatures, your system will indicate that the git repos have been signed by a trusted authority and won't issue confusing error messages.

To trust the maintainer's key, run gpg --edit-key B443E530A14E1C90 . You should see the following:

ubuntu@ss-mgmt:~$ gpg --edit-key B443E530A14E1C90
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  nistp256/B443E530A14E1C90
     created: 1970-01-01  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  nistp256/798DF725CFB0629A
     created: 1970-01-01  expires: never       usage: E   
[ unknown] (1). Derek Smith <derek@farscapian.com>

Next, run trust at the gpg> prompt. Then press 5 to set fully trust the certificate. After you press enter, type yes. Then quit by typing q at the gpg> prompt. Done!

Verify LNPlay

Now that you have imported the maintainer's certificate and trusted it, you can begin to verify code commits. Do this by running git log --show-signature from the LNPlay git repo (usually at ~/lnplay). The output will show something like this:

git tag -v 24.03
object 07db7442b0c7f972526a68768693626cd9af2610
type commit
tag 24.03
tagger Derek Smith <derek@farscapian.com> 1710723358 -0400

Bitcoin Atlantis
gpg: Signature made Sun 17 Mar 2024 08:55:58 PM EDT
gpg:                using ECDSA key 77A10B652328FCBECEF26DA8B443E530A14E1C90
gpg: Good signature from "Derek Smith <derek@farscapian.com>" [uncertain]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 77A1 0B65 2328 FCBE CEF2  6DA8 B443 E530 A14E 1C90

If the output says Good signature from "Derek Smith <derek@farscapian.com> the repo was successfully signed by the LNPlay maintainer.

Ok great! You have reasonable assurance that the bash code you're about to run has been created by a known authority.