Verifying Readest Release Files - readest/readest GitHub Wiki

This guide explains how to verify the authenticity and integrity of Readest installer packages using cryptographic signatures.

Why Verify?

Verifying release files ensures that:

• The file hasn't been tampered with during download
• The file was actually built and signed by the Readest team
• Your installation is secure and trustworthy

Prerequisites

Install one of these signature verification tools:

minisign (Recommended)

macOS:

brew install minisign

Ubuntu/Debian:

sudo apt-get install minisign

Arch Linux:

sudo pacman -S minisign

Windows (with Scoop):

scoop install minisign

Windows (manual): Download from minisign releases

rsign (Alternative)

Cargo (all platforms):

cargo install rsign2

Or download from: https://github.com/jedisct1/rsign2/releases

Step-by-Step Verification

1. Download Files

For each release, download both:

• The installer package (e.g., Readest_0.9.96_x64-setup.exe)
• The corresponding signature file (e.g., Readest_0.9.96_x64-setup.exe.sig)

Both files are available on the Releases page.

2. Get the Public Key

The public key is embedded in the Readest source code. You can either:

Option A: Use the key directly (easiest)

Create a file named readest.pub with this content:

untrusted comment: minisign public key: BE0D5B168E54B351
RWRRs1SOFlsNvjDiaLOW+DZDWeNG462IqhW43Ttr/qcg5lCWKLa3Tu/k

Option B: Extract from source

1. View the base64-encoded public key in tauri.conf.json
2. Decode it:

echo "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IEJFMEQ1QjE2OEU1NEIzNTEKUldSUnMxU09GbHNOdmpEaWFMT1crRFpEV2VORzQ2MklxaFc0M1R0ci9xY2c1bENXS0xhM1R1L2sK" | base64 -d > readest.pub

3. Decode the Signature File

The .sig file is base64-encoded and needs to be decoded:

base64 -d -i Readest_0.9.96_x64-setup.exe.sig -o Readest_0.9.96_x64-setup.exe.sig.decoded

Note: On some systems (like macOS), use -D instead of -d:

base64 -D -i Readest_0.9.96_x64-setup.exe.sig -o Readest_0.9.96_x64-setup.exe.sig.decoded

4. Verify the Signature

Using minisign:

minisign -Vm Readest_0.9.96_x64-setup.exe \
  -x Readest_0.9.96_x64-setup.exe.sig.decoded \
  -p readest.pub

Using rsign:

rsign verify \
  -l Readest_0.9.96_x64-setup.exe \
  -x Readest_0.9.96_x64-setup.exe.sig.decoded \
  -p readest.pub

5. Check the Result

Success:

Signature and comment signature verified
Trusted comment: timestamp:1766115261	file:Readest_0.9.96_x64-setup.exe

✅ The file is authentic and safe to install!

Failure:

Signature verification failed

❌ DO NOT INSTALL! The file may have been corrupted or tampered with. Try downloading again or report the issue.

Platform-Specific Examples

Windows

# Download files (example URLs)
# Readest_0.9.96_x64-setup.exe
# Readest_0.9.96_x64-setup.exe.sig

# Create public key file
@"
untrusted comment: minisign public key: BE0D5B168E54B351
RWRRs1SOFlsNvjDiaLOW+DZDWeNG462IqhW43Ttr/qcg5lCWKLa3Tu/k
"@ | Out-File -Encoding ASCII readest.pub

# Decode signature
certutil -decode Readest_0.9.96_x64-setup.exe.sig Readest_0.9.96_x64-setup.exe.sig.decoded

# Verify
minisign -Vm Readest_0.9.96_x64-setup.exe -x Readest_0.9.96_x64-setup.exe.sig.decoded -p readest.pub

macOS

# Download files
# Readest_0.9.96_universal.dmg
# Readest_0.9.96_universal.dmg.sig

# Create public key file
cat > readest.pub << 'EOF'
untrusted comment: minisign public key: BE0D5B168E54B351
RWRRs1SOFlsNvjDiaLOW+DZDWeNG462IqhW43Ttr/qcg5lCWKLa3Tu/k
EOF

# Decode signature
base64 -D -i Readest_0.9.96_universal.dmg.sig -o Readest_0.9.96_universal.dmg.sig.decoded

# Verify
minisign -Vm Readest_0.9.96_universal.dmg \
  -x Readest_0.9.96_universal.dmg.sig.decoded \
  -p readest.pub

Linux

# Download files
# Readest_0.9.96_amd64.AppImage
# Readest_0.9.96_amd64.AppImage.sig

# Create public key file
cat > readest.pub << 'EOF'
untrusted comment: minisign public key: BE0D5B168E54B351
RWRRs1SOFlsNvjDiaLOW+DZDWeNG462IqhW43Ttr/qcg5lCWKLa3Tu/k
EOF

# Decode signature
base64 -d -i Readest_0.9.96_amd64.AppImage.sig -o Readest_0.9.96_amd64.AppImage.sig.decoded

# Verify
minisign -Vm Readest_0.9.96_amd64.AppImage \
  -x Readest_0.9.96_amd64.AppImage.sig.decoded \
  -p readest.pub

Understanding the Verification Process

What is a Digital Signature?

A digital signature is a mathematical scheme that proves:

• Authenticity: The file comes from Readest developers
• Integrity: The file hasn't been modified since signing
• Non-repudiation: The signature can't be forged

How it Works

1. Signing (done by Readest team):

   • A hash of the installer is created
   • The hash is encrypted with Readest's private key
   • This encrypted hash is the signature (.sig file)

2. Verification (done by you):

   • You create a hash of your downloaded installer
   • You decrypt the signature using Readest's public key
   • If the hashes match, the file is authentic

The Public Key

The public key (RWRRs1SOFlsNvjDiaLOW+DZDWeNG462IqhW43Ttr/qcg5lCWKLa3Tu/k) is:

• Embedded in Readest's source code
• Safe to share publicly
• Used only for verification (cannot create signatures)
• Unique to Readest releases

Why Base64 Decoding?

The .sig file is base64-encoded for:

• Safe transmission across different systems
• Compatibility with text-based systems
• Prevention of encoding issues

Questions?

If you encounter issues with verification or have questions about file security, please:

• Check our GitHub Discussions
• Open an Issue
• Contact us through our official channels

---

Remember: Always verify downloads before installation, especially when downloading from third-party mirrors or sources. If verification fails, do not proceed with installation!

Version History

• v1.0 (2024-12-21): Initial guide created
  • Added comprehensive verification instructions for all platforms