Authenticating Trezor Suite with GPG on Mac

This is the message I'm getting after Importing the 2021 signing key on GPG Suite and verifying with the installer-

Trezor Suite version (23.5.2). Is this an authentic version of Trezor Suite? Seems like a valid key (note the highlighted section below pic)

Mac users- Am I doing anything wrong? Appreciate the feedback

4 thoughts on “Authenticating Trezor Suite with GPG on Mac”

  1. > The signature of this message is valid but untrusted. That means it has not been tampered with. It is untrusted though, because the key has not yet been verified. This KB-article explains how to verify and sign a public key

    Highlight the important bits

    > this message is valid

    Means that the bits you got off the internet are the same bits Trezor signed. Your download is clean and clear for use.

    > the key has not yet been verified. This KB-article explains

    This means that you got some “random” key and some “random” file and the key successfully asserts that the file is the same as it signed originally. What the message is saying is that you… personally… yourself, have not yet met key-keeper at Satoshi Labs to verify that they are in fact the owner of that key.

    The paranoid approach is to try to meet some of the development team at a Bitcoin conference to get them, in person, to attest to the validity of the signing key. This is called a “key signing party” and likely what the KB refers to.

    A less paranoid approach is would be to run a search see SatoshiLabs claims this key publicly. First hit is a issue raised on Trezor’s Github which points to u/matejcik’s solution posted on the Trezor Forum

    gpg --sign-key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C

    Though, personally, I use the less global --lsign-key option instead.

    So yeah… you’re good to go.

    Note: you will find this kind of “untrusted trust” throughout much of the messaging of GnuPG. It’s designed for a level of paranoia that most people just can’t maintain. It’s a great system, but much like compilers, many of the dire warnings are not nearly as dire as they originally sound.

  2. Untrusted by 3rd party, meaning no 3rd party verified it which is actually what you want. You don’t want a BitGo wallet like scenario where anything has been verified by anyone and you have given over your trust and keys to 3rd party.

    What you see is the perfect verification.

  3. Funny you are verifying a GPG signature, which is advanced thing to do.

    But you take a picture of your screen, rather than a screenshot?

Comments are closed.