Create App USBs
We will prepare two (2) “Quarantined App USB” drives with the software needed to execute the remainder of the protocol. These are the USB drives you labeled Q1 APP and Q2 APP in Section III of the Setup Protocol.
- Boot the SETUP 1 computer off the SETUP 1 BOOT USB if it is not already. (See the instructions in Section IV of the Setup Protocol for details.)
Insert the Q1 APP USB into the the SETUP 1 computer.
The instruction to plug a Quarantined App USB into your Setup computer should raise a red flag for you, because you should never plug a quarantined USB into anything other than the quarantined computer it is designated for!
This setup process is the ONE exception.
- Press Ctrl-Alt-T to open a terminal window.
Install the Glacier document and GlacierScript on the Q1 APP USB:
- Download the latest full release of Glacier (not just the protocol document) at https://github.com/bitcoinfacts/GlacierProtocol/releases/latest.
Unpack the Glacier ZIP file into a staging area:
When the download starts, Firefox will ask you if you want to open the ZIP file with Archive Manager. Click OK. When the ZIP file download completes, it will be opened with Archive Manager.
- There will be a single entry in a list named “GlacierProtocol-version-here”, where version-here is replaced with the current version number (like “v1.0”). Click on that and then click the “Extract” button.
- The Archive Manager will ask you where you want to extract the ZIP file to. Select “Home” on the left panel and then press the extract button.
- When the Archive Manager is finished extracting the ZIP archive it will ask you what to do next. Click “Show the Files”.
- Rename the unzipped folder from “GlacierProtocol-version-here” to “glacier”.
Obtain the Glacier “public key,” used to cryptographically verify the Glacier document and GlacierScript:
If you are ever using Glacier in the future and notice that this step has changed (or that this warning has been removed), there is a security risk. Stop and seek assistance.
- Access BitcoinFacts’s Keybase profile at https://keybase.io/bitcoinfacts.
- Click the string of letters and numbers next to the key icon.
- In the pop-up that appears, locate the link reading “this key”.
- Right-click the link and select “Save Link As…”
- Name the file “glacier.asc”.
Verify the integrity of the Glacier download:
- Import the Glacier public key into your local GPG installation:
$ gpg --import ~/Downloads/glacier.asc
- Switch to the glacier folder:
$ cd ~/glacier
- Use the public key to verify that the Glacier “fingerprint file” is
$ gpg --verify SHA256SUMS.sig SHA256SUMS
Expected output (timestamp will vary, but e-mail and fingerprint should match):
gpg: Signature made Sat Dec 18 12:23:10 2021 PST using RSA key ID B85C0836B6D7EE692354EBE652715E71074975D5 gpg: Good signature from "bitcoinfacts <firstname.lastname@example.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B85C 0836 B6D7 EE69 2354 EBE6 5271 5E71 0749 75D5
The warning message is expected, and is not cause for alarm.
- Verify the fingerprints in the fingerprint file match the fingerprints
of the downloaded Glacier files:
$ sha256sum -c SHA256SUMS 2>&1
Glacier.pdf: OK Glacier-linux-only.pdf: OK glacierscript.py: OK base58.py: OK README.md: OK
- Import the Glacier public key into your local GPG installation:
- Copy the “glacier” folder to the Q1 APP USB:
- Click on the File Manager icon in the launching dock along the left side of the screen.
- Find the “glacier” folder under “Home”.
- Click and drag the glacier folder to the icon representing the USB drive on the left.
If you see an “Error while copying” pop-up, you may be suffering from this Ubuntu bug. To fix it, do the following and then retry copying the files:
$ mv ~/.config/nautilus ~/.config/nautilus-bak
- Log out of Ubuntu: Click the power icon in the top right of the screen and select “logout” from the drop-down menu.
- Login again with user “ubuntu” and leave the password blank.
- Open the Glacier Protocol document so that it is available for copy-pasting terminal commands.
- Install the remaining application software on the Q1 APP USB:
- Configure the system to enable access to the software we need in Ubuntu’s
$ sudo apt-add-repository universe
$ sudo apt-get update
- Create a folder for the application files that will be moved to the
$ mkdir ~/apps
- Download and perform integrity verification of software available from Ubuntu’s package repository:
- qrencode: Used for creating QR codes to move data off quarantined computers
- zbar-tools: Used for reading QR codes to import data into quarantined
$ cd ~/apps $ apt download libqrencode3=3.4.4-1build1 $ apt download libzbar0=0.10+doc-10.1build2 $ apt download qrencode=3.4.4-1build1 $ apt download zbar-tools=0.10+doc-10.1build2
View the fingerprints of the files:
> Get-FileHash -a sha256 *.*
$ shasum -a 256 *.*
$ sha256sum *.*
The following fingerprints should be displayed:
e2815703e5ed29f47a8434fbc23535b7bdd938e4483c925bfbc92414f2715d56 libqrencode3_3.4.4-1build1_amd64.deb 0e11e3adc2a0abaa33130c06404da94488a015a1cc90752ea82807f836e671e0 libzbar0_0.10+doc-10.1build2_amd64.deb 7b46f0f4d2a985f7130c14902b1cbfae1b26558d2609f4b38e4196d6321fe18c qrencode_3.4.4-1build1_amd64.deb a0fe2d5eec20b8d744ecbedc311b44040e2fae6b9927291862d774752aed4d83 zbar-tools_0.10+doc-10.1build2_amd64.deb
It’s not important to check every single character when visually verifying a fingerprint. It’s sufficient to check the first 8 characters, last 8 characters, and a few somewhere in the middle.
- Copy the contents of the apps folder to the Q1 APP USB:
- Click on the File Manager icon in the launching dock:
- Navigate to the “Home” folder.
- Click and drag “apps” folder to the icon representing the USB drive on the left panel.
- Download Bitcoin Core, which we’ll use for cryptography & financial operations:
$ mkdir ~/bitcoin $ cd ~/bitcoin $ wget https://email@example.com $ wget https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS.asc $ wget https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS $ wget https://bitcoincore.org/bin/bitcoin-core-22.0/bitcoin-22.0-x86_64-linux-gnu.tar.gz
Then drag the “bitcoin” folder to the Q1 APP USB.
- Configure the system to enable access to the software we need in Ubuntu’s “package repository”:
- Click on the USB drive icon to verify that it has the correct files. The
contents should look like this:
apps glacier bitcoin
appsfolder. It will have the following content. Note that the version number of the Bitcoin package may change as new versions are released. Future versions of Glacier may pin to a specific version.
libqrencode3_3.4.4-1build1_amd64.deb libzbar0_0.10+doc-10.1build2_amd64.deb qrencode_3.4.4-1build1_amd64.deb zbar-tools_0.10+doc-10.1build2_amd64.deb
bitcoinfolder. It will have the following content:
firstname.lastname@example.org SHA256SUMS SHA256SUMS.asc bitcoin-22.0-x86_64-linux-gnu.tar.gz
glacierfolder. It will have the following content:
t glacierscript.py base58.py SHA256SUMS.sig SHA256SUMS README.md Makefile LICENSE Glacier.pdf Glacier-linux-only.pdf
Eject and physically remove the Q1 APP USB from the SETUP 1 computer.
The Q1 APP USB is now eternally quarantined. It should never again be plugged into anything besides the Q1 computer.
- Repeat all above steps using the SETUP 2 computer, SETUP 2 BOOT USB, and Q2 APP USB.
- Find a container in which to store all of your labeled hardware, along with the Glacier document hardcopy, when you are finished.