Skip to content

java-tron Release Package Signature Verification

This document provides developers with instructions on how to verify the signature of the TRON java-tron executable file to ensure its authenticity and integrity. The signature verification process requires three key pieces of information: the executable file to be verified, its digital signature, and the public key corresponding to the private key used for signing. The verification principle is to use the content of the executable file and its signature to derive the signing public key and compare it with the public key officially released on the java-tron GitHub repository. If they match, it confirms that the java-tron executable you obtained is consistent with the one published on GitHub and has not been tampered with.

TRON's signing method for java-tron release packages has been adjusted:

  • For new versions released on or after January 3, 2023: GPG is used for signing and verification.
  • For versions released before January 3, 2023: A specific TRON account's public and private keys were used for signing and verification.

This document will detail both of these signature verification processes.

GPG Signature Verification Process

For java-tron versions released after January 3, 2023, you must use GPG for signature verification. The java-tron executable and its corresponding signature file are published together on the GitHub Releases page. Please follow the steps below to perform GPG signature verification.

1. Install GPG

If you have already installed GPG, you can skip this step. Otherwise, install it using the command for your operating system:

brew install gpg
* Debian, Ubuntu, or other Linux distributions: 
sudo apt install gpg

2. Import the Public Key

If you have previously imported the public key, you can skip this step, as it only needs to be imported once.

First, get the public key hash and UID of the java-tron release package GPG signature from the java-tron GitHub repository. For example:

pub: 1254 F859 D2B1 BD9F 66E7 107D F859 BCB4 4A28 290B
uid: build@tron.network

Then, import the public key from the GPG public key server to your local machine using the public key hash:

gpg --recv-keys "1254 F859 D2B1 BD9F 66E7 107D F859 BCB4 4A28 290B"

If the public key import is successful, you will see output similar to this:

gpg: key 785FB96D2C7C3CA5: "build_tron <build@tron.network>" public key imported
gpg: Total number processed: 1
gpg:               imported: 1

3. Verify the Signature

Assuming the executable you want to verify is FullNode.jar and its corresponding signature file is FullNode.jar.sig, run the following command to verify the signature:

gpg --verify FullNode.jar.sig FullNode.jar

If the signature verification passes, you will see the following text:

gpg: Signature made Wed Jan  6 12:21:51 2023 CST
gpg:                using RSA key 1254F859D2B1BD9F66E7107D F859BCB44A28290B
gpg: Good signature from "build_tron <build@tron.network>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 07B2 3298 AEA4 E006 BD9A  42DE 785F B96D 2C7C 3CA5
Subkey fingerprint: 1254 F859 D2B1 BD9F 66E7  107D F859 BCB4 4A28 290B

If the verification fails, it will display text like Bad signature from "build_tron <build@tron.network>".

TRON Address Signature Verification Process

For java-tron versions released before January 3, 2023, the release packages were signed by the TRON account TKeAcHxgErbVXrG3N3TZiSV6AT566BHTj2. The signing process is as follows:

  1. First, the SHA256 hash of the executable file is calculated.
  2. Then, the SHA256 hash is signed with the private key of the TRON account.

The SHA256 hash and signature result for the release packages can be found in the Historical Version Signature Information section of this document or on the GitHub Releases page.

Here, we will use the popular TRON JavaScript library, tronweb, to demonstrate the signature verification process. TronWeb provides the Trx.verifySignature interface to verify signatures. A successful verification will return true; otherwise, it returns false. Please follow the process below to verify.

1. Install TronWeb

If you have already installed TronWeb, you can skip this step. Otherwise, install it using the following command:

npm install -g tronweb

2. Verify the Release Package's Integrity

To ensure the integrity of the release package, you need to check if its SHA256 hash matches the hash provided in the release information.

For the Odyssey-3.7 version, for example:

  • The release package file name is: FullNode.jar
  • The release package's SHA256 is: 2fca93b09da4ac62641e03838e77fce99b4711ddb0c09aa91656c80fc9556d2e
  • The signature is: 21435e32131feb6d00ba8048df04e112e02569ec851064d8ecad2d4dd5da44b7628ddce16823dadfff6fd683fc58cee74964970621a845ee459e2c96a750de551b

On your system, execute the following command to calculate the SHA256 hash of FullNode.jar:

  • macOS: 
    shasum -a 256 FullNode.jar
  • Debian, Ubuntu, and other Debian-derived systems: 
    sha256sum FullNode.jar
    Compare the hash value from the command's output with the hash provided in the release information.

3. Check the Release Package Signature

Use the tronweb's Trx.verifySignature interface to verify the release package's signature. Execute the following JavaScript code in your command line:

# Trx.verifySignature(SHA256, ADDRESS, SIGNATURE));
node -e 'console.log(require("tronweb").Trx.verifySignature(
    "2fca93b09da4ac62641e03838e77fce99b4711ddb0c09aa91656c80fc9556d2e",
    "TKeAcHxgErbVXrG3N3TZiSV6AT566BHTj2",
    "21435e32131feb6d00ba8048df04e112e02569ec851064d8ecad2d4dd5da44b7628ddce16823dadfff6fd683fc58cee74964970621a845ee459e2c96a750de551b"
))'

If the signature verification passes, it will output true; otherwise, it will output false.

Historical Version Signature Information

Odyssey-3.7

FullNode sha256sum: 2fca93b09da4ac62641e03838e77fce99b4711ddb0c09aa91656c80fc9556d2e
FullNode signature: 21435e32131feb6d00ba8048df04e112e02569ec851064d8ecad2d4dd5da44b7628ddce16823dadfff6fd683fc58cee74964970621a845ee459e2c96a750de551b
SolidityNode sha256sum: fcdea8b3e511306218ba442fb0828f0413574012d646c39c212a59f6ba5844bc
SolidityNode signature: 6dcad6e02f17467e5cfebeefa0f9963da08e7da10feebefdec47d689fecc30f104c9b7f5e784b883e7ceb786fe55188356c42c306d727fb7819eed2a71f788361c

GreatVoyage-4.0.0

FullNode sha256sum: d3f8f9fde64bdefaadae784d09de97172e5e8a3fe539217e12b89963983a530d
FullNode signature: e788dbaf2fe35f099f65b2403cfb0d7cbe7f4611f8c5ff8151e4bd84ae468d2e541043c9cde9e74500003027ae9f25cdda81a9bcd60abb45ca7a69f965f4dcc71c
SolidityNode sha256sum: adddf88423c6c31f1f25ed39b10779c24dd7cdcf37f2325c02b2f2ecfc97e1f6
SolidityNode signature: e3b9859f178f7851dedb7a0a8deb715e5f1e3af10b1064c36f2727ec2b8825510df4fd7b09d7d049204e5df3e8d5b87778e83a15ca96ce786f7977a6cb48bca91b

GreatVoyage-4.1.1

FullNode sha256sum: 30e716b86b879af1e006c2b463903ae3835e239e32e2b01c2a1b903a153897fe
FullNode signature: 5faee65a448bb9aa77835992ca3d24e50d8a76b7934f80664ad38e83179c8114278fdef4494de7231f8e40de86461676a7aa4a54c795f4c692e91d90e156ec471b
SolidityNode sha256sum: 10a160181053b421109ecace74df5fc0f8860bc8a70181add65fd9a292c35a44
SolidityNode signature: 1d1413b13adf7778f9a720294eca066ac728ad636d166505276f5ff1f63973c100c04778f937f240f10107edb7de477604857867fc4dbdb68238169c978fc3da1b

GreatVoyage-v4.1.2

FullNode sha256sum: 4ded44b6c1a3dbd25212e14ab413142b5463dcbf30a528f83ded529048542547
FullNode signature: 57a094c1b8a5ec301ef913eb718de2498b5695eb999530863df05252ba8919ba6866c8490e29d36f7dbf34537c898ece5ef0111efb134419c3a5fd6fc9ec03b81c
SolidityNode sha256sum: 3db36cadbd1f7641aafc8164983f28df4b7ceff8174e090327ed407012cf12cb
SolidityNode signature: d07604f6811cbed628dd6e5c07880c2fdd3025848fd5365925531c7748467d5228fea2e18326864acc27f3b51c73b364fa44c450d8ec4b5080a7ddb7566724701c

GreatVoyage-v4.1.3(Thales)

FullNode sha256sum: c5fb99ad5b024bb7877118f30fb6065f6e6febd11a3cfa241521cbed73cca181
FullNode signature: d80ec371e791c4316925d80ff3400cf51b14c8a4d4c696b7817c517eb094823622932b45b9b37f9e9657513c3eddb1134fbbb1ee56727c0957e8a3b40c67409b1c
SolidityNode sha256sum: 4b941d71b561a8b2e0b97d7498823d900eaf287910eea1eaafc649f5aad14036
SolidityNode signature: f8a8e8d411b009d02986cad1e19e745f8107384a274f146bcae60c570111b13556ff9ab528eb5d1fb4734bd4ef488ade4038781d06ab6420e35f28be6135fe9b1c

GreatVoyage-v4.2.0(Plato)

FullNode sha256sum:
bbf103432be016b582452137b4862140af15ccf7c5daa9be738450705317fdb8
FullNode signature:
326701699a5eb8d497eb454b5b74c1559961417fb6f262b4e6314052d73f5977312e0450937fa485236f51f706b434acf8659ce1325d704097c5748629e736ef1c
SolidityNode sha256sum:
1db544cbca9dc814683ccf9bef28f7d6ca4469289052230394aaf4e3bcd08615
SolidityNode signature:
47fea27df940db0d2a4c0abf6d06969882c027bc4f17449205a28ae5cd25b8ba5339e21f105fe1c25e799d0f4ffea64a15046b9baf5b54341411b5180da439011b

GreatVoyage-v4.2.1(Origen)

FullNode sha256sum:
9888710c915a4027f1bc3dcb1d5d983e0c00d4c438f6fa307d412f62ff6862ea
FullNode signature:
6e7d8ef9d033ebf9213118b7511f4ecc5def97442844fbd34de3ef76dd417a0d45da3e2e70fc213475d7fc0a44df1c54732874d858ec980159c5dbffc975680a1c
SolidityNode sha256sum:
c70edffa3022e9c25bf845ee978e3500c3ada89b473d895a715acf1738b83f10
SolidityNode signature:
0e366acce33bb7c6b02fa143a57d9380c94d3513a9fba8692efe2862a8f7df93156edbddd075f1844f2f81398b14f2db6a03e21f0f6b8ab25649fae4dc16ae731b

GreatVoyage-v4.2.2(Lucretius)

FullNode sha256sum:
8a7f8143b3351ea6b5d8e3dfc857b09256d363d4907ba3ab0288f67f77c2a58f
FullNode signature:
71c6300ace5cbf16d78a32aa4602c3f129cb768e32acffaecd17b4134b5955bf37efda1d27025e894e521184a21174e5eddf4e7d1f86761657827795cbddfcfd1c
SolidityNode sha256sum:
2d0d5334a232b7b74df8ed3211d9e0ac957894f81e9172010732f2159da261ad
SolidityNode signature:
0696f8cb3c65324c4b04f9ecf89d939bf7e1b955144e3fe75eeca6bd4c639e463afbe24e31ae38a6889d4d0649ae03fafeeb7c337b34a36fbac33962f64651671b

GreatVoyage-v4.2.2.1(Epictetus)

FullNode sha256sum:
8bd040a8db16ccba3e957ed3558b82d145928153a53f9688302849658a72f9bc
FullNode signature:
3137a8ba8fa5556e4c4a7597aec8f5f46ebb79a64edcf9e2925d2e3314afde3e0f42fd4080e5e4f4d3d1eff263d30478b0322e6dbcc71c43b534f614004b5c561b
SolidityNode sha256sum:
ee8abd39732e4901828a61124880f1d2eab62f7f3d97150f1e1921bf7da10e54
SolidityNode signature:
092b08184677449dd283a31cc486f994166cd9f5ad312a9c80d3e06689ec540774ac9a1334dffeb6412039ed70ee912ead39c4025dd69b688ea9df4dd831b5771c

GreatVoyage-v4.3.0(Bacon)

FullNode sha256sum:
b5e993800cea5ca040758dd6b3c7438def03cbf1358468beb76ea45399a59298
FullNode signature:
8da6ac58129d78d948810e4bc7372dd8aef5232bfbc4c33ad8fb21e88314e3d97dd77509e0f03a98da32679495152ccd4a9d07541589822e5cf5d3d4f61877191b
SolidityNode sha256sum:
446a4736901958a450e4e95aaca99a63957163854fb32d25eed84600e6996668
SolidityNode signature:
c27ffde8ce88ee14689e15a9d5c3fb2d2a9d180ea43b45046131df8ac5481fae2588621b395ad7031ed49d65ddd020b3ce084537e3f527d8a5a979f8c65265561c

GreatVoyage-v4.4.0(Rousseau)

FullNode sha256sum:
bf7f962846f75139dd89ac6da32074cad33b2e172c0749abbed8773cc1ab1a37
FullNode signature:
56ed97f3451e3d731f799bad952750d56aa78a9a91a2688b4d6b956328ede7e01bae78037ad6ef1f9c682b566e954dfb958271f006e5cf0dcace5768d76fda6e1b
SolidityNode sha256sum:
9dac37763ddf75c07335ec070f837b63ee46b698066dd25c4756ad40f8750d5f
SolidityNode signature:
cc4325c085719e3e5045b5c6c2553d7adc9c735419618f7afad06c3a532da0ed46906ae9b2dadb15d7f94150268d5ecdc7fd2741693991586d50da30a8d917071b

GreatVoyage-v4.4.1(Protagoras)

FullNode sha256sum:
4a32918849dc8a7fedcb637ff4939389363726cb16c6a581e39253260668ee04
FullNode signature:
fd747f61705ef045143bd2d55b278ca347904323711e2e86b11cf1dd203f198443ab1a399767a570005bd5b2ea283187ccc41557ffb79c959b018e8d798b96f81c
SolidityNode sha256sum:
b6a06d3b19f41591bd8c01f35e78b316ab8e9ad4c0740128fc95ba52d3106f34
SolidityNode signature:
d2836bda30fd25c89494ae7a12b5357bc9e725c9e2c655fb0a9158a4bee881693ea869defe650b0b4f190458a5268f1c121e73c8305cc81a408e62fca0d234c51b

GreatVoyage-v4.4.2(Augustinus)

FullNode sha256sum:
70eba12350fa21e1b261927093090e7bdf0765592d19433c594149bd3707ef0a
FullNode signature:
14430f463e6fab3dd247aca6267b6aaf2f1869b455d95aee297208bd1561c6c67559d9c535e63e74bbef604141cc4ceec78367a75e6ca4d4ceb6513019329c9b1b
SolidityNode sha256sum:
f08438e093cc1091859f0ee9dbc7e79b0d5d9068facd4e6485374baa3acf59d1
SolidityNode signature:
f3935dfe4af9601cf102c975ed2eebbd4b42160e8746c0d0b21ffbd2fbd4b6f374257b1bc0e948909a9ef343d2cc70671961c8f7a992b6cd123f9ad3c8c323391c

GreatVoyage-v4.4.3(Pythagoras)

FullNode sha256sum:
c07637a1a4a9a289218554f4714caef90032e267b068411c7dd818d4af45e39f
FullNode signature:
2bf8d65adf556fe2c04b739c1f4e6e73058914cf642a7806ff85e57be2ff122e35cbf3d67b0bc8bad4fb827198ffd8e06f60111a167ecb0b3db0d8e571b8c67b1c
SolidityNode sha256sum:
64f4614160b9330d0a9e984686b66fa16e9aecf7ae16e32b8cc7c32f52694eef
SolidityNode signature:
dc0f910555a23667d682a6775588de90592ede44f76a32b12ea8f89fa7dcc937274cc3a44b20da49726323cc9f476d42caa318c338858474f02bf98cc398bca81c

GreatVoyage-v4.4.4(Plotinus)

FullNode sha256sum:
0264d382489dae5bf1d340030c1892b0a7aeb9364cb9380c034e159c9eb9a269
FullNode signature:
70cdece8c3510ce4d7d84d5d2c8b53895397c0134d73d681b6b41d4de80d74ce2c2760fdf080ff0ce8c0989246377fca529cb1a2e85e1936755abef4be64f0971b
SolidityNode sha256sum:
b58e7b8b0f97eb2a7a0ce5c5aeb2ce070192ca82c96adc8568aabe4f3407d873
SolidityNode signature:
26da2e507bbd7e82e0170039cc1c0e42332fb2dfc755aeb385240f0a93125b6c0f1e943ccf1a4e9bfec7fdd4d8a26375a38e030e0b8b69af3e2c181bf08444111b

GreatVoyage-v4.4.5(Cicero)

FullNode sha256sum:
8115e887e5af5768e8ab967f8e7bc024af94bda31be7f3dbc30934b42489d988
FullNode signature:
1a02f26eb6065efe5697123528f32ea352d813f9e5acf5936407ad8899c4019539e31b257cafe34b9f8045602f5a4f381b3dd8252a30bb9daf52aeeb078b54711b
SolidityNode sha256sum:
95884a07dcbb1531ec7ae20b7162cab3bb9c4bd2e300447c01c4772e02b24a20
SolidityNode signature:
8adab9501bbb2a3d9f3055c91e819f86081df9b92228a86afb7f0a27165a42690dbeb50f0f1fd1f7180b51809a291c5ff3860e49f888cf0ba87b401d3dda6e271c

GreatVoyage-v4.4.6(David)

FullNode sha256sum:
eaf213f6e6cd9913f9f27bf72a42209c1a0f0fce9841c1d6bd680d879d7d6f85
FullNode signature:
064abe833436b3a2e9b66406abf81d12a20f9d28ef669abe7c87c0d750e58cf10c1e65de6fbd0fc368022f93e4c330b42ea9775ead91962480436985c90ad3b11c
SolidityNode sha256sum:
c3e9ccc1a4d2aac4c081ae01db86a0901b6f3506e3f8a953315e47ae274a98c1
SolidityNode signature:
a03d5d6f0e6c6b869f2e545d8c3ff8a4fed569508e9abe4219271d8bf25dfb015e242add8fd2ab6b8b412dd6b393639517957877e8eb7c07ff43a1351a88d62f1b

GreatVoyage-v4.5.1(Tertullian)

FullNode sha256sum:
db3c75d7854dcf241558c2942b9a582f478c00a88b6f7a7e5ff8a653a8d4c59a
FullNode signature:
61ba205f28c3bc7fa228c27e4e3b4d460ef4fad75ca1d38d82540d45eea2d3d720196b607cd45c560db7a749d05bfe8089c61fba5843e98d61fec90f1591f2861b
SolidityNode sha256sum:
537a81bd781d416229de5e0875247160f2569c378c8eed703203d0acca5be5f1
SolidityNode signature:
a736f9de5425562a2af188c547245f9b4da6d793728bc767242e3df75fa104f61ce978b62fc5cea7f6008bdb51faa9510ff5633702cdb1ddca29cb06a18920d21c

GreatVoyage-v4.5.2 (Aurelius)

FullNode sha256sum:
60e959ccde3ff90c10b503bb25edf37684845e358df2ad64b2b330712b30c177
FullNode signature:
f2f4b6050e639047857c5b5331eb006dcc9c1e0427bac4ae3d934f7436080785472ead691aa16e6a5aed3c2932fb279ce8ab3580449071b878e0d31fdf01f0371c
SolidityNode sha256sum:
4783b8abef12a6c7b8319f3e8960c1d3126edcc521ac1fc3429fe2870cab91b0
SolidityNode signature:
afb5db2467ce9f5445679df53e2fecfaed3c4a2d0ca2ba88b65e621aa2d37a9e6aab06b30052a9381087d0164cb5c347d710b2b1c59e6f7c7107deacfd1cfc961b

GreatVoyage-v4.6.0 (Socrates)

FullNode sha256sum:
598589d428085e25c838552970844b0ba00248ad92873bd2ad25b35f37db7a5b
FullNode signature:
d3bcfa1bea64b7e58cb94603563cb0c5e47bc20316f61b0dfc966fb64ae846f21b8f917a63328416993f524f4de55ddf5083f163b1fe1b811a9a6f4532725c8e1c
SolidityNode sha256sum:
ee37a425a84677063b6ea44ed073b8260e336586a61debc10ce0b1544bf7db6a
SolidityNode signature:
332c273ef1cdae8dc39c76a83b38750a74b3dd1b915e49698e4ae6870cfed49a1449e8d8db995c7a6be2295e2603efedb0f3e8e906ac7681583c5023b28a521d1b