Author

Topic: Multiple devs signed binaries ... ? (Read 773 times)

legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
October 16, 2012, 09:23:29 PM
#3
Gavin signs the package that is uploaded, but the reports of the built itself, and signatures of that are uploaded here.


Thanks ... what does this mean ?

Code:
$ gpg --verify bitcoin-build.assert.sig 
gpg: Signature made Wed 19 Sep 2012 03:36:41 AM NZST using RSA key ID 2346C9A6
gpg: BAD signature from "Wladimir J. van der Laan "

Code:
$ gpg --verify bitcoin-build.assert.sig 
gpg: Signature made Tue 18 Sep 2012 11:13:44 AM NZST using RSA key ID C87992E0
gpg: BAD signature from "Pieter Wuille (Dept. of Computer Science, KULeuven) "

TheBlueMatt doesn't have a PGP signing key advertised anywhere prominently that I could see so didn't test that one ....

(I downloaded the bitcoin-build.assert files from github and imported gpg keys of you guys from key server, and directly from linked bitcoin front page)

Is there a special method needed to download/verify these bitcoin-build.assert files or should straight gpg work?

EDIT: okay I was able to get some good signatures ... if anybody else is wondering you need to download both .sig and bitcoin-build.assert files as raw (right click Save As on Raw button) , it seems git must add something even when you use "wget" ... maybe needs a binary ftp or ... ?

Will look like this

Code:
$ gpg --verify bitcoin-build.assert.sig 
gpg: Signature made Tue 18 Sep 2012 11:13:44 AM NZST using RSA key ID C87992E0
gpg: Good signature from "Pieter Wuille (Dept. of Computer Science, KULeuven) "
gpg:                 aka "Pieter Wuille (Location: Leuven, Belgium) "
gpg:                 aka "Pieter Wuille (Location: Leuven, Belgium) "
gpg:                 aka "Pieter Wuille (Location: Leuven, Belgium) "
gpg:                 aka "[jpeg image of size 6073]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D762 373D 2490 4A3E 42F3  3B08 B9A4 08E7 1DAA C974
     Subkey fingerprint: E3F8 2E40 73CC 179E 70F1  F44B 8F65 3255 C879 92E0

and

Code:
$ gpg --verify bitcoin-build.assert.sig 
gpg: Signature made Wed 19 Sep 2012 03:36:41 AM NZST using RSA key ID 2346C9A6
gpg: Good signature from "Wladimir J. van der Laan "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 71A3 B167 3540 5025 D447  E8F2 7481 0B01 2346 C9A6
legendary
Activity: 1072
Merit: 1189
October 16, 2012, 08:38:23 PM
#2
Gavin signs the package that is uploaded, but the reports of the built itself, and signatures of that are uploaded here.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
October 16, 2012, 08:32:33 PM
#1
It's been said various places that multiple devs sign the binaries (all built separately using identical VM and etc).

The links from the main Bitcoin page (has PGP links for devs) go to sourceforge download page http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/ Here there is SHA256SUM.asc, verifies as good signature for linux tar ball from Gavin.

Where are the other signatures from other devs verifying the SHA256SUM of the linux tar ball located or how is that done?
Jump to: