Author

Topic: How to verify bitcoin binary with gpg pgp signature? (Read 3152 times)

legendary
Activity: 1974
Merit: 1029
Hmm, that "This key is not certified with a trusted signature!" is a little unnerving. OTOH I did trust this signature with my money, perhaps I should tell about this level of trust to gpg? This way all future signature checks will say something like: level of trust - all your bitcoins.

That is related to the GPG WoT and has nothing to do with bitcoin.
sr. member
Activity: 298
Merit: 250
Hmm, that "This key is not certified with a trusted signature!" is a little unnerving. OTOH I did trust this signature with my money, perhaps I should tell about this level of trust to gpg? This way all future signature checks will say something like: level of trust - all your bitcoins.

What do you think?
legendary
Activity: 1974
Merit: 1029
So I think that with litecoin it is much simpler. Just look in my opening post - it was a three liner for litecoin. Here I must copy paste, manually download from website, and perform a comparison of sha256sum written in the text file (likely with grep & copy-paste). With litecoin it was just two times wget, and one gpg call.

With bitcoin you download bitcoin itself and the SHA256SUMS file. Then you gpg validate it and compare the hashes. It's only an additional call to sha256sum so no big deal.
sr. member
Activity: 298
Merit: 250
Time for new glasses:
See "Verify release signatures" on http://bitcoin.org/en/download

Thanks, indeed. Here's how I did that:

copy-paste http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.5/SHA256SUMS.asc/view into some text file, in my case I called it bitcoin-0.8.5-linux.tar.gz.sig (I wish I could just use wget), then run this:

Code:
$ gpg --verify bitcoin-0.8.5-linux.tar.gz.sig
gpg: Signature made pią, 13 wrz 2013, 02:27:02 CEST using RSA key ID 1FC730C1
gpg: requesting key 1FC730C1 from hkp server subkeys.pgp.net
gpg: key 1FC730C1: public key "Gavin Andresen (CODE SIGNING KEY) " imported
gpg: 5 marginal(s) needed, 2 complete(s) needed, classic trust model
gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   2  signed:   1  trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1

Looks OK.

Then compare that with
Code:
$ sha256sum bitcoin-0.8.5-linux.tar.gz
84543f10de5e82ce6e88dd5a501db37c6327edf79a2a04f29199c24843e71f63  bitcoin-0.8.5-linux.tar.gz


So I think that with litecoin it is much simpler. Just look in my opening post - it was a three liner for litecoin. Here I must copy paste, manually download from website, and perform a comparison of sha256sum written in the text file (likely with grep & copy-paste). With litecoin it was just two times wget, and one gpg call.
legendary
Activity: 1974
Merit: 1029
Code:
$ gpg --verify SHA256SUMS.asc
gpg: Signature made Fri 13 Sep 2013 02:27:02 AM CEST using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1
$ grep linux SHA256SUMS.asc; sha256sum bitcoin-0.8.5-linux.tar.gz
84543f10de5e82ce6e88dd5a501db37c6327edf79a2a04f29199c24843e71f63  bitcoin-0.8.5-linux.tar.gz
84543f10de5e82ce6e88dd5a501db37c6327edf79a2a04f29199c24843e71f63  bitcoin-0.8.5-linux.tar.gz
staff
Activity: 4284
Merit: 8808
How is it done for bitcoin? Maybe it is even simpler for bitcoin, and I'm just blind. If it's not easier, then please could you fix the bitcoin binary download page?
Time for new glasses:

See "Verify release signatures" on http://bitcoin.org/en/download

sr. member
Activity: 298
Merit: 250
Hi,

This is constantly evolving, also I don't see any GPG signature to use on http://bitcoin.org/en/download so how to I verify this latest bitcoin binary?

For example on https://litecoin.org/ I see a GPG signature which I can use to verify easily using these commands:

Code:
wget https://litecoin.org/downloads/linux/litecoin-0.8.4.1-linux.tar.xz
wget https://litecoin.org/downloads/linux/litecoin-0.8.4.1-linux.tar.xz.asc
gpg --verify litecoin-0.8.4.1-linux.tar.xz.asc litecoin-0.8.4.1-linux.tar.xz

How is it done for bitcoin? Maybe it is even simpler for bitcoin, and I'm just blind. If it's not easier, then please could you fix the bitcoin binary download page?
Jump to: