Question about PGP signatures

4 replies 41 views
DarkSeedSenior Member
Posts: 209 · Reputation: 1423
#1Apr 3, 2022, 01:31 AM
I was trying to grab the source code for the latest Bitcoin Core (28.1) and came across this sha256 checksum that seems to be the right one: c5ae2dd041c7f9d9b7c722490ba5a9d624f7e9a089c67090615e1ba4ad0883ba bitcoin-28.1.tar.gz To be sure, I wanted to verify it with PGP signatures. I downloaded the .asc file from this link: https://bitcoincore.org/bin/bitcoin-core-28.1/SHA256SUMS.asc That file has a bunch of signatures in it. Where can I find info on who owns each signature? And I’m assuming all the files listed in this checksums file: https://bitcoincore.org/bin/bitcoin-core-28.1/SHA256SUMS are signed by the people listed in SHA256SUMS.asc, right? Do you guys check all the signatures? I'm using Kleopatra and I think I just need to add all those keys there, then it should pull in the info and check them all at once with the file I'm trying to verify.
5 Reply Quote Share
yield_forkFull Member
Posts: 162 · Reputation: 728
#2Apr 3, 2022, 02:53 AM
Yes, this file contains the signatures of everyone related to the development of Bitcoin Core. If one or more public keys are sufficient for your verification, you don't need to import all of them. However, to ensure the highest level of certainty that you are downloading an authentic Bitcoin Core binary, it's advisable to import all the public keys into your Kleopatra. On the bitcoin core download page in the section titled "Verify your download," you can choose the gpg signature verification instructions according to your platform. Since you mentioned the .tar.gz extension, it indicates you are downloading for Linux. The SHA256SUMS file, which contains the SHA256 hashes of each version, has been signed by the public keys contained in SHA256SUMS.asc. I usually do these verifications directly via the terminal on both Linux and Windows. However, you can view the owner of each pubkey in Kleopatra, as it will list each public key, allowing you to import them. You can also check and compare them on GitHub: https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys or https://github.com/bitcoin-core/guix.sigs/blob/main/builder-keys/fanquake.gpg
0 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#3Apr 3, 2022, 05:04 AM
SHA256SUMS.asc only sign SHA256SUMS, rather than actual Bitcoin Core files. No, i usually just check signature based on few PGP public keys i've imported. You could do that. But FWIW, not everyone's signature (whose key located on https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys) always sign all Bitcoin Core release due to various reason (e.g. unable to sign before release date).
1 Reply Quote Share
DarkSeedSenior Member
Posts: 209 · Reputation: 1423
#4Apr 3, 2022, 11:02 AM
Then the idea is that if SHA256SUMS, when checked with Kleopatra or whatever software you use, will give a valid signature for this file and this means that all sha256 of every file listed there is accurate, since I don't see a way how this could be gammed. It should be safe enough and having every individual file signed would be overkill I guess.
2 Reply Quote Share
yield_forkFull Member
Posts: 162 · Reputation: 728
#5Apr 3, 2022, 06:34 PM
The signature verification method used by Bitcoin Core devs is as follows: They provide a SHA256SUM file and another .gpg document of this SHA256SUM (SHA256SUM.asc) that signs the common SHA256SUM file, this document (SHA256SUM) contains the hashes of all versions of the Bitcoin Core binaries. You can get the hash of a binary you downloaded using the examples (according to your operating system): For example, for the .exe binary of version 28.1: You can open the SHA256SUM file in a notepad and you will see that the above hash is listed according to the binary you downloaded, this is an effective check and ensures that you downloaded the correct file: Linux: or You can do these hash checks with kleopatra. If you have a file compression software, like 7zip (don't use winrar, as it’s not open source) which is open source. You can check the SHA-256 hash by right-clicking on the file, then find the 7zip option, it will list some options, then select CRC SHA and choose either "SHA-256" to get only the SHA256 of the file or "*" to get other hashes besides sha256 like SHA1.
2 Reply Quote Share

Related topics