Pages:
Author

Topic: Verifying Bitcoin Core - page 6. (Read 210204 times)

newbie
Activity: 34
Merit: 0
September 03, 2016, 01:52:20 PM
#57

Easy way 2

Get the sha256 hash of the Bitcoin Core release you downloaded. On Linux, you can run, for example, sha256sum bitcoin-0.13.0-x86_64-linux-gnu.tar.gz. On Windows you can run (at a command prompt) certUtil -hashfile bitcoin-0.13.0-win32.zip SHA256. On Mac OS X, you can run shasum -a 256 bitcoin-0.13.0-osx.dmg.


in windows

Can a little more explanation

Step by Step

 Smiley
staff
Activity: 3458
Merit: 6793
Just writing some code
September 03, 2016, 11:52:10 AM
#56
Putting it in a file as suggested will work. But in looking online, it seems to me that Ctrl-D should signal end-of-file on OSX. I don't know why it's not working. I've never used a Mac, though. Can anyone who does use OSX share their experience?
It might be Cmd+D (command, the stupid apple thing that basically replaces ctrl).
administrator
Activity: 5222
Merit: 13032
September 03, 2016, 11:28:41 AM
#55
Ok I tried saved the below text to a txt file:

You didn't copy-paste it correctly.

Putting it in a file as suggested will work. But in looking online, it seems to me that Ctrl-D should signal end-of-file on OSX. I don't know why it's not working. I've never used a Mac, though. Can anyone who does use OSX share their experience?

The warning about the signature not being valid is because you didn't do the lsign stuff that I mentioned in the guide.
staff
Activity: 3458
Merit: 6793
Just writing some code
September 03, 2016, 09:02:35 AM
#54
Ok I tried saved the below text to a txt file:

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

f94123e37530f9de25988ff93e5568a93aa5146f689e63fb0ec1f962cf0bbfcd  bitcoin-0.13.0-aarch64-linux-gnu.tar.gz
7c657ec6f6a5dbb93b9394da510d5dff8dd461df8b80a9410f994bc53c876303  bitcoin-0.13.0-arm-linux-gnueabihf.tar.gz
d6da2801dd9d92183beea16d0f57edcea85fc749cdc2abec543096c8635ad244  bitcoin-0.13.0-i686-pc-linux-gnu.tar.gz
2f67ac67b935368e06f2f3b83f0173be641eef799e45d0a267efc0b9802ca8d2  bitcoin-0.13.0-osx64.tar.gz
e7fed095f1fb833d167697c19527d735e43ab2688564887b80b76c3c349f85b0  bitcoin-0.13.0-osx.dmg
0c7d7049689bb17f4256f1e5ec20777f42acef61814d434b38e6c17091161cda  bitcoin-0.13.0.tar.gz
213e6626ad1f7a0c7a0ae2216edd9c8f7b9617c84287c17c15290feca0b8f13b  bitcoin-0.13.0-win32-setup.exe
5c5bd6d31e4f764e33f2f3034e97e34789c3066a62319ae8d6a6011251187f7c  bitcoin-0.13.0-win32.zip
c94f351fd5266e07d2132d45dd831d87d0e7fdb673d5a0ba48638e2f9f8339fc  bitcoin-0.13.0-win64-setup.exe
54606c9a4fd32b826ceab4da9335d7a34a380859fa9495bf35a9e9c0dd9b6298  bitcoin-0.13.0-win64.2d61f88621301bbb00512376287f9df4568255f8b98bc10547dced96c8  bitcoin-0.13.0-x86_64-linux-gnu.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJXvFxeAAoJEJDIAZ42wulkCswP/19dAX2bLAMWBVAfjQSyJDzp
KvqR/9zsMI6HO1wMrSvEmL4dP6bePvd6ZgZ2UO7qCT337s6LE80FWdU6ZQnmczK2
xFy2VXl8ewCrDSexuCfEnnjbuTyoVBbfqoxBag7UZ6atuXV5pwYvThknRDldycah
PJXHN59cyhnpU7hQoblq0Gqk8FK4G05KsIdJrllaXKNTb1xDou/JpXDaqP6kHu75
kfMGAMWvynLZkR9lZZ2hdLItWxY0s2BOb3Uyi0clxjk8XMI1x8GSIgyS4ANX8xOl
9oToxykI21STJlwFBqJlx9FXrdG8YHndO5zhQEfshnoTzAsPReRV2mzmW3iS1vrF
EV1VHUY04jab6TFJ/7xzywmPF4mYsL6GXDcHxB0c58wFU1pybPC/46CPFxIwOsdY
rCuDtcVYtWswIYAn4mtA3DkWFeNEMUi5HKSdxm3smXKEOViWoipesXaQSJGHeNyK
xo4NpqaZr4aDqlZSZftdipyenOtSqSEeN3HCkJRTiMPzIZcbMoVrw/AFMcUEj6iO
gck1tbqGzI8IuvsArorm9q8TydoM1lcQo9FNeGSHKCs5EWOekDljRWRUGLMk717S
9SQwcOe3mXxwDX84m8ftbqozCw3dAW6OLF2QmswEdM4rKY1mrsIy6v6zoFkjPowK
B33vu2QZLMG5wazPw+Kz
=1/IW
-----END PGP SIGNATURE-----

And this is what came up:

Code:
gpg --verify test.txt 
gpg: Signature made Tue 23 Aug 15:23:26 2016 BST using RSA key ID 36C2E964
gpg: BAD signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) " [unknown]
That's because your file is wrong.

This line is incorrect:
Code:
54606c9a4fd32b826ceab4da9335d7a34a380859fa9495bf35a9e9c0dd9b6298  bitcoin-0.13.0-win64.2d61f88621301bbb00512376287f9df4568255f8b98bc10547dced96c8  bitcoin-0.13.0-x86_64-linux-gnu.tar.gz

It should really be these two lines:
Code:
54606c9a4fd32b826ceab4da9335d7a34a380859fa9495bf35a9e9c0dd9b6298  bitcoin-0.13.0-win64.zip
bcc1e42d61f88621301bbb00512376287f9df4568255f8b98bc10547dced96c8  bitcoin-0.13.0-x86_64-linux-gnu.tar.gz

However how do I actually check the .dmg file that contains the installer is the right one?

If I run:

Code:
gpg --verify bitcoin-0.13.0-osx.dmg

I get:

Code:
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
That's because the files themselves are not pgp signed and do not have any signatures.

Because it expects a signature file.

And if I use the file that has the signatures that you can download from https://bitcoin.org/bin/bitcoin-core-0.13.0/SHA256SUMS.asc, I get:

Code:
gpg --verify SHA256SUMS.asc 
gpg: Signature made Tue 23 Aug 15:23:26 2016 BST using RSA key ID 36C2E964
gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.


Doesn't inspire 100% confidence... Maybe that's how it's supposed to come up?
Indeed it is. PGP does not have a centralized trust server. You are supposed to build your own web of trust by trusting other people's keys and setting a trust depth (kinda like the trust system here, minus DT). Since you have not trusted the release key, GPG will warn you that the key is untrusted.

So I did run the below first as suggestend in the OP:

Code:
shasum -a 256 bitcoin-0.13.0-osx.dmg

And got the right shasum.

If I have that right together with the last output above from checking the signatures, is that all I need to trust the .dmg file is genuine?

Thanks for the help in advance, this is good learning, and thanks to theymos for the heads up note on top of this forum! Smiley
Yes that is all you need to trust that the .dmg is the right file.
legendary
Activity: 1722
Merit: 1000
September 03, 2016, 03:54:59 AM
#53
Try to save it to a file and verify its contents. Just add its filename to the end of the command.

Example: gpg --verify example.txt

Ok I tried saved the below text to a txt file:

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

f94123e37530f9de25988ff93e5568a93aa5146f689e63fb0ec1f962cf0bbfcd  bitcoin-0.13.0-aarch64-linux-gnu.tar.gz
7c657ec6f6a5dbb93b9394da510d5dff8dd461df8b80a9410f994bc53c876303  bitcoin-0.13.0-arm-linux-gnueabihf.tar.gz
d6da2801dd9d92183beea16d0f57edcea85fc749cdc2abec543096c8635ad244  bitcoin-0.13.0-i686-pc-linux-gnu.tar.gz
2f67ac67b935368e06f2f3b83f0173be641eef799e45d0a267efc0b9802ca8d2  bitcoin-0.13.0-osx64.tar.gz
e7fed095f1fb833d167697c19527d735e43ab2688564887b80b76c3c349f85b0  bitcoin-0.13.0-osx.dmg
0c7d7049689bb17f4256f1e5ec20777f42acef61814d434b38e6c17091161cda  bitcoin-0.13.0.tar.gz
213e6626ad1f7a0c7a0ae2216edd9c8f7b9617c84287c17c15290feca0b8f13b  bitcoin-0.13.0-win32-setup.exe
5c5bd6d31e4f764e33f2f3034e97e34789c3066a62319ae8d6a6011251187f7c  bitcoin-0.13.0-win32.zip
c94f351fd5266e07d2132d45dd831d87d0e7fdb673d5a0ba48638e2f9f8339fc  bitcoin-0.13.0-win64-setup.exe
54606c9a4fd32b826ceab4da9335d7a34a380859fa9495bf35a9e9c0dd9b6298  bitcoin-0.13.0-win64.2d61f88621301bbb00512376287f9df4568255f8b98bc10547dced96c8  bitcoin-0.13.0-x86_64-linux-gnu.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJXvFxeAAoJEJDIAZ42wulkCswP/19dAX2bLAMWBVAfjQSyJDzp
KvqR/9zsMI6HO1wMrSvEmL4dP6bePvd6ZgZ2UO7qCT337s6LE80FWdU6ZQnmczK2
xFy2VXl8ewCrDSexuCfEnnjbuTyoVBbfqoxBag7UZ6atuXV5pwYvThknRDldycah
PJXHN59cyhnpU7hQoblq0Gqk8FK4G05KsIdJrllaXKNTb1xDou/JpXDaqP6kHu75
kfMGAMWvynLZkR9lZZ2hdLItWxY0s2BOb3Uyi0clxjk8XMI1x8GSIgyS4ANX8xOl
9oToxykI21STJlwFBqJlx9FXrdG8YHndO5zhQEfshnoTzAsPReRV2mzmW3iS1vrF
EV1VHUY04jab6TFJ/7xzywmPF4mYsL6GXDcHxB0c58wFU1pybPC/46CPFxIwOsdY
rCuDtcVYtWswIYAn4mtA3DkWFeNEMUi5HKSdxm3smXKEOViWoipesXaQSJGHeNyK
xo4NpqaZr4aDqlZSZftdipyenOtSqSEeN3HCkJRTiMPzIZcbMoVrw/AFMcUEj6iO
gck1tbqGzI8IuvsArorm9q8TydoM1lcQo9FNeGSHKCs5EWOekDljRWRUGLMk717S
9SQwcOe3mXxwDX84m8ftbqozCw3dAW6OLF2QmswEdM4rKY1mrsIy6v6zoFkjPowK
B33vu2QZLMG5wazPw+Kz
=1/IW
-----END PGP SIGNATURE-----

And this is what came up:

Code:
gpg --verify test.txt 
gpg: Signature made Tue 23 Aug 15:23:26 2016 BST using RSA key ID 36C2E964
gpg: BAD signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) " [unknown]

However how do I actually check the .dmg file that contains the installer is the right one?

If I run:

Code:
gpg --verify bitcoin-0.13.0-osx.dmg

I get:

Code:
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

Because it expects a signature file.

And if I use the file that has the signatures that you can download from https://bitcoin.org/bin/bitcoin-core-0.13.0/SHA256SUMS.asc, I get:

Code:
gpg --verify SHA256SUMS.asc 
gpg: Signature made Tue 23 Aug 15:23:26 2016 BST using RSA key ID 36C2E964
gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.


Doesn't inspire 100% confidence... Maybe that's how it's supposed to come up?

So I did run the below first as suggestend in the OP:

Code:
shasum -a 256 bitcoin-0.13.0-osx.dmg

And got the right shasum.

If I have that right together with the last output above from checking the signatures, is that all I need to trust the .dmg file is genuine?

Thanks for the help in advance, this is good learning, and thanks to theymos for the heads up note on top of this forum! Smiley


hero member
Activity: 896
Merit: 527
₿₿₿₿₿₿₿
September 03, 2016, 02:27:18 AM
#52
Try to save it to a file and verify its contents. Just add its filename to the end of the command.

Example: gpg --verify example.txt
legendary
Activity: 1722
Merit: 1000
September 03, 2016, 12:56:01 AM
#51
administrator
Activity: 5222
Merit: 13032
August 30, 2016, 03:48:58 PM
#50
Hashes in OP should be updated for 0.13 if possible.

Thanks, I forgot about that.
legendary
Activity: 2842
Merit: 1511
August 30, 2016, 03:41:30 PM
#49
Hashes in OP should be updated for 0.13 if possible.
newbie
Activity: 37
Merit: 0
August 30, 2016, 06:40:08 AM
#48
muy bueno. voy a quedarme esta vez en core. con estos cambios se solucionaran varias cuestiones aun pendientes.
administrator
Activity: 5222
Merit: 13032
August 28, 2016, 10:52:01 PM
#47
Just wondering, why a .torrent file instead of a magnet link? Since the file is stored at Bitcointalk.org, there shouldn't be much difference.

On certain pages, when your session code is in the URL and it would be dangerous to click any external link due to the referer header that would be sent, links are disabled in all bbcode (including the news), and links show up completely expanded. Like:
Quote
Latest stable version of Bitcoin Core: 0.13.0 (https://bitcoin.org/en/download) (New!) [Torrent (https://bitcointalk.org/bitcoin-0.13.0.torrent)]. Make sure you verify it (https://bitcointalk.org/index.php?topic=1588906.0).

With a magnet link, whenever this happens, a huge chunk of the page would be annoyingly taken up by the full magnet link. It wouldn't be all that hard to fix this, but I decided to just save a bit of time by using a torrent file.
hero member
Activity: 896
Merit: 527
₿₿₿₿₿₿₿
August 28, 2016, 08:00:39 PM
#46
Just wondering, why a .torrent file instead of a magnet link? Since the file is stored at Bitcointalk.org, there shouldn't be much difference.
staff
Activity: 3500
Merit: 6152
August 26, 2016, 05:13:46 AM
#45
Is it only pre release versions we need to be careful of?

I'm not going to download it until the stable version of 0.13.0 is released - Will that be safe?

As far as I know this is an official release , otherwise It wouldn't be listed here in the first place : https://bitcoin.org/en/download

RC versions are most likely the unstable ones before the official releases as you can see on the Github page :



Next version will be 0.13.1 (with SegWit I suppose) and not 0.13.0

If I were you , I would verify every wallet (including electrum , multibit HD and others) as those could be compromised as well , so you should probably check every release from now on.
legendary
Activity: 3556
Merit: 9709
#1 VIP Crypto Casino
August 26, 2016, 04:52:05 AM
#44
Is it only pre release versions we need to be careful of?

I'm not going to download it until the stable version of 0.13.0 is released - Will that be safe?
hero member
Activity: 793
Merit: 1026
August 25, 2016, 04:57:20 PM
#43
What I want to know is, what "State" is sponsoring this malicious attack? Is it China? The USA? I would imagine a collective of countries conversing on this and funding the attackers with Bitcoin, since fiat is so traceable nowadays.

I think he found direct evidence of GFW doing a DNS MITM for bitcoin.org.  That to me is the most reasonable and most likely explanation.  Sure it could be another state sponsored attack, but all the other major state players just ban it and make it unpopular and whatnot.  China's the only one to just implement technical measures first and do other stuff later.  I think the GFW got updated to redirect bitcoin.org traffic.

This is of course entirely speculation without any shred of merit.

Can you tell me what GFW is? I may know what it is, but I do not know that acronym. Apologies for my ignorance and thank you for the information.

The Great Firewall of China
hero member
Activity: 709
Merit: 503
August 25, 2016, 08:09:22 AM
#42
For what it is worth, I am highly confident that my son did the work to build 0.13.0 from sources https://github.com/bitcoin-core/gitian.sigs/pull/401.
member
Activity: 117
Merit: 10
August 25, 2016, 07:00:00 AM
#41
Why does China have to go and f*ck up everything with new technology?

Will they ever learn?
legendary
Activity: 1049
Merit: 1009
TRX: TCRKDukYt2zDie9vJDhToKrP3tyTV29U48
August 24, 2016, 11:01:31 PM
#40

Here's the relevant alert issued. It's based on suspicion from what it seems. It's still good to check the integrity of programs you're going to run on your system.

ok. I will look it. thanks for advance
newbie
Activity: 25
Merit: 0
August 24, 2016, 10:59:42 AM
#39

Can you tell me what GFW is? I may know what it is, but I do not know that acronym. Apologies for my ignorance and thank you for the information.

Great Firewall
legendary
Activity: 2422
Merit: 1451
Leading Crypto Sports Betting & Casino Platform
August 24, 2016, 04:27:41 AM
#38
What does it mean the sentences of "Be extra vigilant when downloading binaries from our website for the upcoming 0.13.0 release". I found on https://bitcoin.org/en/download

what happens with bitcoin core 0.13?  why we must be vigilant



Here's the relevant alert issued. It's based on suspicion from what it seems. It's still good to check the integrity of programs you're going to run on your system.
Pages:
Jump to: