Author

Topic: Signature Verification of Core: Specific Questions (Read 141 times)

jr. member
Activity: 57
Merit: 62
-snip-
When I right click on that and Open with Kleo. I get from Kleo a window that says that SHA256SUMS has been verified with SHA256SUMS.asc and then I get a list of 10 signatures that could not be verified and the ability to import each of them from the key.
That's how the process should be.
You verified that the "SHA256SUMS" file containing the hashes of Bitcoin Core binaries is legit by doing that.
So you can be certain that the hash that you're comparing to is correct.

For the 10 other signatures (you mean certificates? the signature is the .asc file.),
It's because you haven't imported and certified the other signing keys from the repo where you've downloaded "davidgumberg.gpg".

Quote from: Noob_Is_Relative
But what happened to davidgumberg.gpg that I'm trying to verify? It seems like I'm dealing with apples and oranges and here I'm stuck.
That's a "PGP public key" and it's not the one that you're verifying.
You've imported that to Kleopatra to make sure that the signature in the file "SHA256SUMS.asc" that is used to verify "SHA256SUMS" file is signed with it.

Thanks to your help, I'm better off than I thought, and I can now do my upgrade. Thanks again for sticking with me until I reached a solution.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
-snip-
When I right click on that and Open with Kleo. I get from Kleo a window that says that SHA256SUMS has been verified with SHA256SUMS.asc and then I get a list of 10 signatures that could not be verified and the ability to import each of them from the key.
That's how the process should be.
You verified that the "SHA256SUMS" file containing the hashes of Bitcoin Core binaries is legit by doing that.
So you can be certain that the hash that you're comparing to is correct.

For the 10 other signatures (you mean certificates? the signature is the .asc file.),
It's because you haven't imported and certified the other signing keys from the repo where you've downloaded "davidgumberg.gpg".

Quote from: Noob_Is_Relative
But what happened to davidgumberg.gpg that I'm trying to verify? It seems like I'm dealing with apples and oranges and here I'm stuck.
That's a "PGP public key" and it's not the one that you're verifying.
You've imported that to Kleopatra to make sure that the signature in the file "SHA256SUMS.asc" that is used to verify "SHA256SUMS" file is signed with it.
jr. member
Activity: 57
Merit: 62
Or maybe it means that I'm verified and good to go??
jr. member
Activity: 57
Merit: 62
Now I want to verify at least one developer's signature. I have kleopatra.exe ready and I can either search a keyserver or I can import a file.
For noobs the github page is "overload" and there are no steps or explanations.
What's you OS? I assume Windows since you mentioned that in your other thread.

At any rate, for manual import; go to Bitcoin-Core's repo for the builder keys, here: https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys
Download your selected developer's gpg key (Click a 'name.gpg' file->'download raw file' icon), it will be saved as "name.gpg".

To import:
  • Open Kleopatra and double-click the GPG file that you've downloaded and it will be imported automatically.
  • Go to Kleoparta's "Certificates" list, right-click on the just-imported key (actual name may be different from the file name), then select "Certify...".
  • In the 'Certify Certificate' window, click "Certify" once you fully checked if the information in the certificate are true.

Then to verify: double-click "SHA256SUMS.asc" to automatically verify "SHA256SUMS" file.
With Kleopatra, it should work automatically if both files are in the same directory/folder and having the same file name.

Note: if ".asc" and ".gpg" files aren't associated with Kleopatra, double-click wont do anything until you select Kleopatra.
If so, tick "Always use this app to open .asc files" once you select "Kleopatra" as the associated app.

The raw files I tried all return errors, so I think I've not selected the proper files . . .
Please specify the errors.

I need either a server address URL that I can copy/paste into Kleopatra
If "hkps://keys.openpgp.org" doesn't work for you (like with some Windows users), use "hkps://keyserver.ubuntu.com".


Thanks for the work you put in for such discrete details. Sorry if I have should have edited some of your lengthy quoted material above.
I had some success with your directions and some problems. I'll write the steps that I think I performed correctly, then indicate where I had problems:

OS: Win11Pro
a. manual import dev. key < your link < raw file icon < download to Desktop as davidgumberg.gpg = OK
b. rt. click, Open Kleo., appears as new certificate < certified with my newly created key = OK

Now I need to verify. First, I want to make sure we are talking about the right SHA256SUMS.asc file as there are two. I'm assuming we're talking about the hash signatures file and not the binary hash file, right? Yes, that must be correct, as we are verifying a signature. It's the file with an icon of a blue open lock.

When I right click on that and Open with Kleo. I get from Kleo a window that says that SHA256SUMS has been verified with SHA256SUMS.asc and then I get a list of 10 signatures that could not be verified and the ability to import each of them from the key.

But what happened to davidgumberg.gpg that I'm trying to verify? It seems like I'm dealing with apples and oranges and here I'm stuck.
jr. member
Activity: 57
Merit: 62

I scrolled down about 20 pages through this tutorial regarding creating a Key Pair. I think this tutorial is way overkill for my needs. Permit me to "cut to the chase" on some basics to confirm that I'm in the ballpark:

1. From bitcoincore.org I downloaded: a. the Win exe. program for the latest iteration, 27.1, b. SHA256 binary hashes. This hash file has extension .asc and, opening with Notepad ++, I could copy/paste the exact line of binary hashes pertaining to my OS from the .exe program, b. I then used the Command Prompt  and navigated to the .exe and entered:
Code:
CertUtil -hashfile bitcoin-27.1-win64-setup.exe sha256
This output a binary hash string. I then compared it with the first hash, they matched, so I know I have clearance to install the .exe   Correct so far?
2. Many people probably stop here and do the install w/o signature verification. However, I will attempt signature verification using the advice here. If I'm not successful, I'll probably do the install.
3. My understanding of signature verification: It could be that the binary hashes were hacked, so now I need to authenticate the binary hashes. To start that process, I first downloaded from the Core site the SHA256 hash signatures. Now, using kleopatra.exe I need to associate that with at least one developer's signature either from a keysaver URL or from a file download, either of which can be executed from the PGP program.

Other members hear have given links that I'll try for this purpose. Basically, I want to know, am I on the right track?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
The raw files I tried all return errors, so I think I've not selected the proper files . . .
Please specify the errors.

Most likely the errors have something to do with not finding the required public keys with which to verify against, although you should only need one developer's public key and one verified SHA256SUMS file in order for the verification to work successfully.

I need either a server address URL that I can copy/paste into Kleopatra
If "hkps://keys.openpgp.org" doesn't work for you (like with some Windows users), use "hkps://keyserver.ubuntu.com".

I don't think most keyservers are working when you try to import a new key from there, so I would opt with directly downloading and importing it instead.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
Now I want to verify at least one developer's signature. I have kleopatra.exe ready and I can either search a keyserver or I can import a file.
For noobs the github page is "overload" and there are no steps or explanations.
What's you OS? I assume Windows since you mentioned that in your other thread.

At any rate, for manual import; go to Bitcoin-Core's repo for the builder keys, here: https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys
Download your selected developer's gpg key (Click a 'name.gpg' file->'download raw file' icon), it will be saved as "name.gpg".

To import:
  • Open Kleopatra and double-click the GPG file that you've downloaded and it will be imported automatically.
  • Go to Kleoparta's "Certificates" list, right-click on the just-imported key (actual name may be different from the file name), then select "Certify...".
  • In the 'Certify Certificate' window, click "Certify" once you fully checked if the information in the certificate are true.

Then to verify: double-click "SHA256SUMS.asc" to automatically verify "SHA256SUMS" file.
With Kleopatra, it should work automatically if both files are in the same directory/folder and having the same file name.

Note: if ".asc" and ".gpg" files aren't associated with Kleopatra, double-click wont do anything until you select Kleopatra.
If so, tick "Always use this app to open .asc files" once you select "Kleopatra" as the associated app.

The raw files I tried all return errors, so I think I've not selected the proper files . . .
Please specify the errors.

I need either a server address URL that I can copy/paste into Kleopatra
If "hkps://keys.openpgp.org" doesn't work for you (like with some Windows users), use "hkps://keyserver.ubuntu.com".
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
jr. member
Activity: 57
Merit: 62
I cannot find clear Wiki on this topic that matches where I am stuck. I am updating Core from v22.0 to 27.1.
I have confirmed SHA256SUMS: a match between the binary hash for the win.exe and the program itself, using Notepad ++ and Command Prompt, respectively.

Now I want to verify at least one developer's signature. I have kleopatra.exe ready and I can either search a keyserver or I can import a file.
For noobs the github page is "overload" and there are no steps or explanations.

I need either a server address URL that I can copy/paste into Kleopatra or some directions on exactly what I should download from github as a file to import. The raw files I tried all return errors, so I think I've not selected the proper files . . .

The Core (website) explanations of steps are generic and not suitable for first-timers.
Jump to: