Warning: The binaries of the CLI wallet were compromised for a short time
by Riccardo Spagni
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Yesterday a GitHub issue about mismatching hashes coming from this website was opened ( https://github.com/monero-project/monero/issues/6151 ). A quick investigation found that the binaries of the CLI wallet had been compromised and a malicious version was being served. The problem was immediately fixed, which means the compromised files were online for a very short amount of time. The binaries are now served from another, safe, source. See the Reddit post by core team member binaryFate: https://www.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_bina...
It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason.
We have two guides available to help users check the authenticity of their binaries: Verify binaries on Windows beginner ( https://getmonero.org/resources/user-guides/verification-windows-beginner... ), and Verify binaries on Linux, Mac, or Windows command line advanced ( https://getmonero.org/resources/user-guides/verification-allos-advanced.html ). Signed hashes can be found here: https://getmonero.org/downloads/hashes.txt.
The situation is being investigated and updates will be provided soon.
The Monero community
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEElLc43TUBMvWsvuodVUMt8xzNT80FAl3UQcYACgkQVUMt8xzN
T80hUAgAkUC/SHuECzqcpIT2Flt4YkWZRWxPH9OLZfU/1HplVwGdJ6XA/4FoYNZ2
oTyArBPqCREmsjCPfyIIk0HwSRMJ4rmU/nEo/uFFlg1tla+tSXDXe7UuRt87TzzX
aZryB6TeXl0DyKXC6cDkCPF70kD0xVxrOc4WViSt8zHOCO+27BzzBBaUVryMGNSu
UTyptQ+YR4AWd8jMGPRGQfqu+o/CnNCaPeK7LsgB8/86z2zP9LdoeH14sE4nVgpy
tXc0iTn+XWHeZ9b1vFHy4W5qJ/0k9yRjiJs05DujS3dfH523zGjM7YRVuKx0R8ne
g3NCJTB/nc1W53tzwrbwSFmliysCcw==
=PZFl
-----END PGP SIGNATURE-----
5 years