# Verifying BTCQ release artifacts

Every binary BTCQ ships is signed with the project release key. You should
verify before installing — it's the only protection against a tampered
download.

## The signing key

**Fingerprint:** `F75E35BB6E0571A61A107FFD46FDC71ABEC69682`

If `gpg --import` shows a different fingerprint, **stop**. Cross-check with:
- The fingerprint embedded in [the BTCQ source repo](https://github.com/btcq/btcq/blob/master/contrib/release/btcq-release-signing.asc)
- Any published release announcement
- The fingerprint at the top of `https://downloads.btcq.io/keys/btcq-release-signing.asc`

All four should match. A mismatch means someone is in the middle.

## Import the key

```bash
curl -fsSLO https://downloads.btcq.io/keys/btcq-release-signing.asc
gpg --import btcq-release-signing.asc
gpg --fingerprint F75E35BB6E0571A61A107FFD46FDC71ABEC69682
```

## Verify an RPM (or the dnf repo)

`rpm` and `dnf` will reject unsigned packages once the key is imported:

```bash
sudo rpm --import https://downloads.btcq.io/keys/btcq-release-signing.asc
rpm -K /path/to/some-package.rpm
# expected: digests signatures OK
```

If you've added the dnf repo (`btcq-fedora.repo`), `dnf` runs this check
automatically on every install/update — `repo_gpgcheck=1` also verifies
the repo metadata signature.

## Verify the AppImage

```bash
gpg --verify electrum-btcq-4.7.2-btcq.4-x86_64.AppImage.asc \
             electrum-btcq-4.7.2-btcq.4-x86_64.AppImage
# expected: "Good signature from BTCQ ..." with the fingerprint above
```

## Verify the source tarballs

```bash
gpg --verify electrum-btcq-4.7.2+btcq.4.tar.gz.asc \
             electrum-btcq-4.7.2+btcq.4.tar.gz
```

## Verify SHA256SUMS (covers the whole release dir)

```bash
gpg --verify SHA256SUMS.asc SHA256SUMS
sha256sum -c SHA256SUMS
# expected: every file listed reports OK
```

## Verify a Docker image

The image content is the same GPG-signed RPM that `dnf install` would
put on a Fedora 43 host. Once you've pulled the image, you can confirm
the GPG signature from inside a running container:

```bash
docker pull downloads.btcq.io/btcqd:0.2.0-4
docker run --rm --entrypoint rpm downloads.btcq.io/btcqd:0.2.0-4 \
    -qi btcq | grep -E '(Version|Release|Signature)'
# expected:
#   Version    : 0.2.0
#   Release    : 4.btcq.fc43
#   Signature  : ... Key ID 6381c538a6f34161
```

For absolute reproducibility, pin to the image's content-addressed
digest rather than the floating tag:

```bash
docker pull downloads.btcq.io/btcqd@sha256:<full-digest-from-pull-output>
```

Image-level signing (cosign) is on the roadmap; today's trust chain is
TLS to `downloads.btcq.io` plus the GPG signature on the embedded RPM.

## What this protects against

Verification protects against an attacker who can tamper with the download
in transit (compromised mirror, MITM on a coffee-shop network, malicious
browser extension). It does **not** protect against:

- A compromise of the build host (the signature would be valid but the
  binary would be malicious)
- A stolen signing key (we'd publish a key revocation if this happened)

If you discover a verification failure, please report it: open an issue
against [github.com/btcq/btcq](https://github.com/btcq/btcq) **with
no installation attempt**. Do not run a binary that fails verification.