I've divided this post into three sections: Download, Review, and Install to make it easier for users who need help with specific sections. The installation steps were reproduced with Ubuntu 18.04, but can also be easily used for other versions. Just make sure you download the specific ready-made binaries from the release page for the operating system you are using.
The C-Lightning implementation now works only in Linux environments. All c-lightning releases will be published on the GitHub release page. You can download them directly from the browser or use the following terminal commands:
# Download the Ubuntu release of C-lightning from the release page ubuntu@user:~/Downloads$ wget https://github.com/ElementsProject/lightning/releases/download/v0.7.3/clightning-v0.7.3-Ubuntu-18.04.tar.xz # Download the SHA256SUMS file that contains the hashes of the release ubuntu@user:~/Downloads$ wget https://github.com/ElementsProject/lightning/releases/download/v0.7.3/SHA256SUMS # Download the digital signature file SHA256SUMS.asc ubuntu@user:~/Downloads$ wget https://github.com/ElementsProject/lightning/releases/download/v0.7.3/SHA256SUMS.asc
It's on before installing the software GOT TO to check the signatures of the publication. This ensures that the software on the release page has not been modified by third parties or manipulated during the download process through a man-in-the-middle attack.
The following steps are performed to verify the authenticity of the file:
- Calculate the SHA256 hash of the main file
- Check if the hash matches the one we downloaded in the SHA256SUMS file
- Make sure this hash has been signed by a trusted developer
The first step is to verify that the SHA256 hash of the downloaded file matches the hash created in the SHA256SUMS file. Because SHA256 is a one-way mathematical function, it ensures that the downloaded file has not been modified because its hash matches that in the SHA256SUMS file.
# Calculate the SHA256 of the file that we downloaded in the last step ubuntu@user:~/Downloads$ sha256sum clightning-v0.7.3-Ubuntu-18.04.tar.xz e36d259696ad172d509be712c0ee96b64a454d9a836b7a576d0bc26a580b313e clightning-v0.7.3-Ubuntu-18.04.tar.xz # Verify that the above hash matches the hash in the SHA256SUMS file ubuntu@user:~/Downloads$ cat SHA256SUMS | grep clightning-v0.7.3-Ubuntu-18.04.tar.xz e36d259696ad172d509be712c0ee96b64a454d9a836b7a576d0bc26a580b313e release/clightning-v0.7.3-Ubuntu-18.04.tar.xz
As you can see above, the hashes match. However, it is not enough just to match the hashes. An attacker could have changed the ZIP file and reproduced its modified hash in the SHA256SUMS file. Therefore, we need to make sure that the hash contained in the SHA256SUMS file was actually signed by a trusted person. For this we have to check the signatures.
You can do this with
gpg, First, we need to import the public keys of the developers signing these releases. You can find her here.
# import Rusty Russell's key ubuntu@user:~/Downloads gpg --recv-keys 15EE8D6CAB0E7F0CF999BFCBD9200E6CD1ADB8F1 # import Christian Decker's key ubuntu@user:~/Downloads gpg --recv-keys B7C4BE81184FC203D52C35C51416D83DC4F0E86D # import Lisa Neigut's key ubuntu@user:~/Downloads gpg --recv-keys 30DE693AE0DE9E37B3E7EB6BBFF0F67810C1EED1
The next step compares the signatures to the hashes in the SHA256SUMS file. If the SHA256SUMS file is missing, you will get one
can't hash datafile: No data Error.
ubuntu@user:~/Downloads gpg --verify SHA256SUMS.asc gpg: assuming signed data in 'SHA256SUMS' gpg: Signature made Mon 28 Oct 2019 11:15:50 PM UTC gpg: using RSA key 30DE693AE0DE9E37B3E7EB6BBFF0F67810C1EED1 gpg: Good signature from "Lisa Neigut
" (unknown) gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 30DE 693A E0DE 9E37 B3E7 EB6B BFF0 F678 10C1 EED1 gpg: Signature made Mon 28 Oct 2019 11:51:59 PM UTC gpg: using RSA key 15EE8D6CAB0E7F0CF999BFCBD9200E6CD1ADB8F1 gpg: Good signature from "Rusty Russell " (unknown) gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 15EE 8D6C AB0E 7F0C F999 BFCB D920 0E6C D1AD B8F1 gpg: Signature made Tue 29 Oct 2019 08:07:39 PM UTC gpg: using RSA key B7C4BE81184FC203D52C35C51416D83DC4F0E86D gpg: Good signature from "Christian Decker " (unknown) gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B731 AAC5 21B0 1385 9313 F674 A26D 6D9F E088 ED58 Subkey fingerprint: B7C4 BE81 184F C203 D52C 35C5 1416 D83D C4F0 E86D
After checking the authenticity of the file, we can safely extract the ZIP file with the command
tar xf clightning-v0.7.3-Ubuntu-18.04.tar.xz, The extracted folder contains folders
share as content. Paste the contents of this folder into the
/usr/ Directory (or
/usr/local/). Note: Just replace the files in these folders. Do not replace these folders directly, as these folders generally also contain binaries of other important software.