Author

Topic: Can I verify that the official binary was compiled from the open source code? (Read 923 times)

administrator
Activity: 5222
Merit: 13032
Where can I read more about this environment? I'm very interested in having the same thing for my own app.

It's Gitian. See https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md for some info about Bitcoin's use of it.
legendary
Activity: 1176
Merit: 1015
Yes. The official binary is compiled in a special environment that can be exactly replicated so that the binary can be verified. It's a bit difficult to set up, though.

Where can I read more about this environment? I'm very interested in having the same thing for my own app.

I'm very sure it's http://gitian.org/
full member
Activity: 200
Merit: 104
Software design and user experience.
Yes. The official binary is compiled in a special environment that can be exactly replicated so that the binary can be verified. It's a bit difficult to set up, though.

Where can I read more about this environment? I'm very interested in having the same thing for my own app.
sr. member
Activity: 518
Merit: 250
First compare the code you have downloaded with the original.
Then compile it.
legendary
Activity: 1176
Merit: 1015
Yes. The official binary is compiled in a special environment that can be exactly replicated so that the binary can be verified. It's a bit difficult to set up, though.

Is this is preferred process?

http://gitian.org/
administrator
Activity: 5222
Merit: 13032
Yes. The official binary is compiled in a special environment that can be exactly replicated so that the binary can be verified. It's a bit difficult to set up, though.
legendary
Activity: 4228
Merit: 1313
On the download page on bitcoin.org you can click the link "Verify signature releases" which will download the signatures and then you can use the signatures to verify it is the correct release.

E.g something like

gpg --verify ...
legendary
Activity: 1974
Merit: 1030
Is there any way to verify that the binaries were actually produced from the advertised source code?

Compile the source using gitian and check that the generated binaries are identical to the published ones.
legendary
Activity: 1628
Merit: 1012
You could always compile it yourself.

Most people have trouble with the dependencies, and admittedly in the past this included me, so we just accept the binaries and move on.

Do you believe there is a fake going around? Would be interesting.
pf
full member
Activity: 176
Merit: 105
The Bitcoin website, https://bitcoin.org, provides links to both binaries and source code of Bitcoin Core (Bitcoin-Qt).

I would say that 99% of people just download the binaries and trust them.

Is there any way to verify that the binaries were actually produced from the advertised source code?
Jump to: