1 Check for a client update
Client updates are announced at https://nxtforum.org/nrs-releases/
For example see https://nxtforum.org/nrs-releases/nrs-v1-1-3/
Tutorial is based on https://nxtforum.org/index.php?topic=143.0
Note that the entire description is a PGP signed message, including the download link and the sha256, signed with Jean-Luc's 0xFF2A19FA key, he published the key's fingerprint also in his profile on nxtforum. Once you obtained the key from a keyserver, using GnuPG in a terminal window it is
gpg --recv-keys 0xFF2A19FA
you can verify the text and hence the download link and sha256 by following this procedure (on Linux):
2 Verify the update message
In a terminal window invoke
that then waits for input from stdin.
In the browser window using the mouse select the entire text including the -----BEGIN PGP SIGNED MESSAGE----- and -----END PGP SIGNATURE----- lines.
In the terminal window, using the middle mouse button paste the selected text, check that it is pasted like it looks on the webpage, then press Enter and Ctrl+D after which gpg should display
gpg: Signature made Wed 08 Jan 2014 12:09:11 PM CET using RSA key ID 3BF9ED80 gpg: Good signature from "Jean-Luc Picard (Lead Developer of The Nxt Generation) <email@example.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B88D C0A6 2ECD DDD1 643A 28FD CEF1 F4A9 FF2A 19FA Subkey fingerprint: 3690 CF32 519B 2A88 DF20 23C2 53A1 C977 3BF9 ED80
The warning is ok because there is no trust chain, no one signed the key.
Note that the X primary selection and middle mouse button is used to paste the webpage's content, instead of using the clipboard which would likely mess around with the line feeds and invalidate the signature.
It may happen that due to putting the message on the website some minor change (for example blanks or line feeds altered, or triple dashes replaced by em-dash, or double dashes replaced by en-dash, ...) occurred, in which case the message does not verify. Unfortunately this now seems to be more the norm than the exception. Of course then you don't know if the sha256 or anything else essential wasn't altered, so there's no reason to trust the message in this case. Luckily there still are the corresponding nxt-client-*.zip.asc signature files that can be verified, see below.
3 Download and verify the client archive
There are two independent ways to verify the client archive's file integrity, by sha256 check sum and/or using GnuPG signature files. In an already running client proceed with #Using the client's built-in check and for extra security also #Verify using the corresponding GnuPG *.asc file.
3.1 Verify using the sha256 check sum
3.1.1 Using the client's built-in check
The Nxt NRS client software contains a built-in utility for verifying the SHA256 checksum of your Nxt software download. Here's how to use it:
- With your Nxt server running, access http://localhost:7876/update.html in your web browser.
- The "Nxt update checker" will appear. Your current version number will be displayed, as well as the version number of the latest version of the software, and the latest experimental version of the software.
- If your current version is older than the latest version of Nxt, a download link will appear. Click this to download a new version of Nxt.
- Open your file explorer / finder, and drag the client.zip file into the green box in your web browser
- After a moment, your browser will confirm whether or not the download is authentic.
3.1.2 Using an external sha256sum program
If the message verified you can also check the content of the downloaded file with the just verified sha256, for example:
sha256sum nxt-client-0.5.3.zip && echo 23fc36fba166e00299003407169a26515e6d67c8094b5a06f9c795cc62ca83a7
where both sums must be equal.
If you wish to verify it manually, here is the hash of the latest version (1.11.10) of nxt-client-*.zip:
3.2 Verify using the corresponding GnuPG *.asc file
Each nxt-client-*.zip file on download.nxtcrypto.org is accompanied by a corresponding GnuPG signature file created with Jean-Luc's 0xFF2A19FA key. For example, for http://download.nxtcrypto.org/nxt-client-1.1.3.zip there is also http://download.nxtcrypto.org/nxt-client-1.1.3.zip.asc that you can download and save beside the .zip file and then verify the .zip by running
gpg --verify nxt-client-1.1.3.zip.asc
which should give
gpg: Signature made Wed 08 Jan 2014 12:03:17 PM CET using RSA key ID 3BF9ED80 gpg: Good signature from "Jean-Luc Picard (Lead Developer of The Nxt Generation) <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B88D C0A6 2ECD DDD1 643A 28FD CEF1 F4A9 FF2A 19FA Subkey fingerprint: 3690 CF32 519B 2A88 DF20 23C2 53A1 C977 3BF9 ED80
4 Install the update
Once you have acquired the new Nxt version from the release source and/or have verified the sha256 check sum of the downloaded file, you can update to the latest Nxt version. Do not use the file or its contents if the check sum does not match!
- If you're running the client, close the browser and stop the server window.
- Unzip the newly downloaded Nxt software .zip file overwriting the existing nxt folder.
- Start the Nxt software.
- Open your browser and access http://localhost:7876
- Unlock your account. Done!