Topic: Verifying Bitcoin Core - page 3. (Read 179890 times)

I'd recommend at least doing easy way 2. However, even doing easy way 1 is better than what most people do which is nothing.

Bitcoin Core (and other wallet software) allow you to have full control of your Bitcoin by giving you full control of your private keys. You don't need to use it, but it allows for the some of the best security and privacy. Bitcoin Core is also a full node software. This means that it fully validates every single block and transaction. Bitcoin Core nodes make up the backbone of the Bitcoin network; without nodes, transactions and blocks would not be able to propagate well and the network would not be decentralized.

This is probably a stupid question that is answered elsewhere, but since this is the beginner forum, I'll ask 

Why would I need to download bitcoin core? I have been trading BTC and other crypo and moving my tokens to wallets but never had a need to download something called Bitcoin core. Again, probably a really obvious answer, but I'm new...

Is there any other preferably faster way to check it? Like special software or apps?

Its very unlikely that you will download the malicious software before anyone report it. If you are afraid then always verify the hashes, If you don't want to do that, you can always wait a few hours after a new release, see If a problem has been reported then download it.

Thanks, teymos, a perfect guide, loved it!

Thanks for this guide, I just updated to Core 0.14.1 and managed to verify all was good with the dowloaded installer.

Never really bother before.

I wonder how much of a risk downloading from bitcoin.org actually is? I guess better be safe than sorry.

Be nice to find out if anyone has actually ever reported a hash mismatch downloading a core installer.

Its a stable working version but Its more recommended to install the latest version (0.14.1).

I have just downlloaded bitcoin core version 0.13.0 from bitcoin.org .is it good software?

The wording "need" is incorrect. "wallet.dat" is a file created by the wallet called Bitcoin Core. You can download Bitcoin Core here: https://bitcoin.org/en/download. You should create a backup of the wallet.dat file onto other devices as that is vital for the safety of your coins. Do not copy/modify this file in any way while the wallet is running. Fully shut down Bitcoin Core then back up the file somewhere.

Lauda , I understood correctly? , When you download the desktop purse, you need to immediately save the file Wllet.dat and then in case of loss or reinstallation of the new wallet - paste on top of the new file Wllet.dat - the old one?

Verifying Bitcoin Core before you use it has nothing to do with backing up your wallet file. You are confused/in the wrong thread if you want to look for information regarding backing up. Re-read the original post to understand what this is about.

is it not enough to backup the wallet dat?

tell me pls

Can you update this post with the 0.14.1 checksums?

In Lubuntu (Linux) I installed  gnupg very recently with command in terminal:

sudo apt-get install gnupg2

Lubuntu 16.10
When trying to verify signature for bitcoin-0.14.0-x86_64-linux-gnu.tar.gz using the Bitcoin Core Release Signing Keys downloaded from: https://bitcoin.org/en/download
i.e.:
https://bitcoin.org/laanwj-releases.asc

I GET the following, why Warning message?

gpg --verify
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

466adccf7352f06de35afc1627a3ea721764268ceaf08fa3641f9b47e7df091a  bitcoin-0.14.0-aarch64-linux-gnu.tar.gz
55957e2c35aa2ba836cbae7cbf945bcf489a46b243551b0f6fd86f60603032a6  bitcoin-0.14.0-arm-linux-gnueabihf.tar.gz
e4bb8b52acde07788dfcf024645fe291f0deca2b7172939fb2ddb8789fe56973  bitcoin-0.14.0-i686-pc-linux-gnu.tar.gz
e01e3cdd3c4138eccaf0c1267caa3bcdb6949ee63c1e396842b70f102fb4bcaf  bitcoin-0.14.0-osx64.tar.gz
50fea43935e93381552b6730444eed6bbe513637a785e1b864b0c5883729228c  bitcoin-0.14.0-osx.dmg
d743d4866a0d4c1457f81530c45258a8b6383d1cafc458eedcba8d01728a641e  bitcoin-0.14.0.tar.gz
95a030be5c1649023e3aa81d1cd9eabd4258f1b00f0fc51066d02126219705af  bitcoin-0.14.0-win32-setup.exe
864ef77b9b4812ec59adff04d44213a6039c66970a9ae31e8620997a8c1537bc  bitcoin-0.14.0-win32.zip
f260d52cf2fe91c4be99ed6fcf8aa0de669ff326c5da920b7ed3a3e2ec981e0a  bitcoin-0.14.0-win64-setup.exe
415693ed81cfc4960bbfcb815529003405aefbf839ef8fc901b0a2c4ef5317d0  bitcoin-0.14.0-win64.zip
06e6ceeb687e784e9aaad45e9407c7eed5f7e9c9bbe44083179287f54f0f9f2b  bitcoin-0.14.0-x86_64-linux-gnu.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJYv6gQAAoJEJDIAZ42wulk9e0P/0vAR1wxuQvHthS36w0LRDI4
7c3Go/2TPbgGo1PinMhobYeVWE+lfhb9scFGZQiCAvIoRhVsOB8KRN3BS0QDI5gS
iqZJPAl4dz/QtWOyYOv2hAp/hGzChnxoWmkhXmNp4R5y6oLAXOSAkJfGh7btkWBg
LL+tUnkQDcA10DlP3H3O+joxIFrqs9i3UVz5L1bf3M0YtCNOSzdEN7Pv3YwLrij9
dggZwqijTZksi+ouA/ibPni0IWX4sEPs2w/D3lVMQsXc+CdLu/wJByGENg9Gy8VS
1jhGL6PQgbR1SoCvSZ0Je3BDllXpkzzsIUNna56v5+5OXHr9GMrlr7E4qINz6Sl4
LrdEwqZ0Kw1yzs8MlDnTEmH4RGX56cvBjEznFomKmoQUKZKLdzAl5HZWrp6s4HXn
YpstVVCSC615Wm7H2Wd1FrBDU/lq0gHy/w7TNdkLzLIQcJkylo1YzYNkR5Av1Sfd
4prZOVt0LdBgHClObAknByHV92qG6WYn/uXCRUu1MQjWPiI6CjcbEpIAMhxYrM43
1bujklpAXCLudhQ/ShB55SJtKsQ+vcwuAWI+5w/s46k89qUObjBJl5PsvW86kfJQ
GHfLbaeEP4SDGl16YKD6D4MjE/Qkp9reGSij+Sadft5jyJkJEgS9zgiKzD+zXBOA
Df25YpP5jfRJb9xHOUQl
=PU5A
-----END PGP SIGNATURE-----
gpg: Signature made mié 08 mar 2017 07:43:28 CET
gpg:                using RSA key 90C8019E36C2E964
gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964


EDIT (SOLVED)
Ok, this was replied in an earlier post by achow101:
"You can assume you have the correct binary because the signature is good. However, the warning means that you personally have not trusted this key. Ideally you would meet up with Wladimir and he would show you his ID and his key fingerprint and prove to you that he is in control of the key. However, since that isn't likely to happen, you can check who else has signed his key, and if you trust them, you can set your own trust on his key."

I checked the output of sha256sum with the file provided by bitcoin.org and they match.
But shouldn't the site display the hash? I was just concerned with man in the middle attack. 

why bitcoin.org doesn't show the output for sha256sum?
https://bitcoin.org/en/download

> sha256sum bitcoin-0.14.0-x86_64-linux-gnu.tar.gz
06e6ceeb687e784e9aaad45e9407c7eed5f7e9c9bbe44083179287f54f0f9f2b  bitcoin-0.14.0-x86_64-linux-gnu.tar.gz

how to verify?

I tried:
> gpg --verify SHA256SUMS.asc
gpg: Signature made Wed 08 Mar 2017 03:43:28 AM BRT using RSA key ID 36C2E964
gpg: Can't check signature: No public key

Good!Thanks this will be very useful.