WalletMatrix

Verification

WalletMatrix presents you with information about Bitcoin wallets. The raw data that drives it, is provided by wallet-vendors themselves as a structured JSON file, and is imported automatically. At this point validation checks are run. If these checks are successful, the "verified" shield is highlighted in search results and the data is successfully imported and searchable immediately.

As a website visitor though, you don't know about the internals of our verification process. You can't tell if the data you're interested in has been altered since it was originally authored.

Or would you?

With a little technical know-how, you can independently verify the authenticity of the data for yourself. If you're interested in finding out how, please review the information below.

General Wallet Selection

A good general process to follow in your wallet selection might comprise the following steps:

1. Use WalletMatrix to begin your search
2. Download the matrix.json file of a suitable wallet (read on, for how this is done)
3. Review the established date from this file, and ask yourself:
   
   • Has the wallet been around long enough that serious bugs have been fixed? 6-12 months may be a good starting point
   • Am I comfortable with the amount of money I want access-to being managed by this wallet? The greater the funds, the more checks you should consider making
4. Then follow the steps below for actually verifying that the JSON file is valid and verified using PGP

Data Verification

• Why is verified data important?
• How is data verified?
• How do I verify a wallet's data?

Why is verified data important?

In the cryptocurrency space, there are no centralised institutions like banks and no legal recourse to any entity for its loss or theft of any kind. You'll see the word "decentralisation" bandied around a lot and a central tenet of cryptocurrencies is: You shouldn't need to place your trust in any third party for any financial transaction to occur.

We've adopted a similar philosophy for WalletMatrix which provides a means for you to verify for yourself that the data about a given wallet is accurate. We grant you that there's some technical know-how required to do this, but the point is that you can!

How is data verified?

WalletMatrix encourages* wallet vendors to digitally sign their JSON features-file - the file that ultimately powers it. This is achieved by the use of PGP (Pretty Good Privacy) digital signatures. These signatures tie together the JSON data and a "fingerprint" of that data, which is unique to both the data and the person that created them.

With WalletMatrix these are represented by the vendor's JSON file and a member of the vendor's software development team respectively.

You should be able to take the publicly available email address of a person claiming to have signed the data, look-up the PGP key that's associated with that email address using a public keyserver, and be able to verify that a document, together with a signature, is valid, all by using free and commonly available tools.

* WalletMatrix doesn't require wallet vendors to digitally sign their data, but it is in their best interests to do so. Verified data instils confidence into users that vendors are taking data integrity seriously. If wallet data has not been signed or the data cannot be automatically verified during WalletMatrix's automated import process, then the wallet will not show a verified "shield" badge as highlighted in search results.

In the end, it is always up to you, how much importance you put behind a validation failure.

How do I verify a wallet's data?

The digital signature described above is cryptographically associated with a particular JSON file and its contents. Any changes made to the file since it was originally signed will be immediately obvious to you if you follow the steps below.

Should verification fail, you can choose not to trust the vendors of that wallet, and instead simply select a different one whose features not only suit you, but are also able to be verified.

Some wallet vendors will have made their signing "key" publicly available via a public "keyserver". This is a special file used so you can verify that the digital signature downloaded from WalletMatrix is indeed associated with the selected JSON file.

The complete process of verifying the features-file against the digital signature is described below. You will need the following things in order to complete this task:

• Some PGP software for your operating system. This website lists software for Windows, Mac and Linux
• The matrix.json file, downloaded from WalletMatrix
• The matrix.asc signature-file, downloaded from WalletMatrix
• The email address taken from the matrix.json file

Use an email address to locate a public key on the internet

1. Point your browser at http://keys.gnupg.net (This is a "keyserver" of which there are many, each of which automatically synchronises with the others)
2. Use the email address supplied in the JSON file for each selected wallet, and type that into the search field, then hit the "Search" button
3. Select the first link of the first result
4. What you're looking at is the public key associated with the email address. Copy all the text starting from and ending in "-----" and paste that into a new, empty text-file, then save it on your computer somewhere.

Fetch the matrix.asc and matrix.json files from WalletMatrix

1. Perform a search for a wallet
2. In the results matrix, review the "shield" icon located directly beneath each wallet name:
   1. If it's greyed-out - this wallet's data is either invalid or the vendor has not supplied a digital signature
   2. If it's black - this wallet's data is valid, which implies that the vendor has also supplied a digital signature
3. Selecting the icon, you'll be presented with a modal dialogue. If the data is valid then x2 links will be displayed, select each and wait to be prompted for download

Verify the key itself

Before using the public key for any purpose, we need to verify that they key itself hasn't been tampered with.

1. Obtain the key's "fingerprint" via the same keyserver you used above
2. Check the downloaded PGP key's "fingerprint" against the fingerprint from step 1, to ensure that it is indeed the correct key. Use your PGP software of choice to do this

Import the key

Now we need to "import" the PGP key into our PGP software's local "keyring" so we can perform some verification operations with it.

1. Using your PGP software of choice, import the key

The final step - verify!

1. Using your PGP software of choice, use the downloaded public PGP key file to verify the contents of the signature file. If the signature is valid, then the JSON file wasn’t tampered with. You can be assured that the data is valid and was authored by the same person associated with the email address.

Helpful Resources

• PGP (Pretty Good Privacy) on Wikipedia
• Installing PGP software for Windows, OS/X and Linux
• Using Gnupg on Linux to verify a digital signaure and related data
• "Keyserver" on Wikipedia
• Verifying downloaded software on Apache.org