I’m having a tough time finding clear info on this subject that addresses my situation. I’m in the process of upgrading Core from version 22.0 to 27.1.
I've confirmed SHA256SUMS: the hash for win.exe matches the program itself when I checked it using Notepad++ and Command Prompt.
Now, I’m looking to verify at least one developer's signature. I have kleopatra.exe set up, and I can either search a keyserver or import a file.
For newbies, the GitHub page is just too much, and there aren't any step-by-step instructions.
I need either a URL for a server that I can copy and paste into Kleopatra or some specific guidance on what I should download from GitHub to import. The raw files I’ve attempted have all resulted in errors, so I think I'm just picking the wrong files...
The instructions on the Core website are way too general and not beginner-friendly.
Questions About Core Signature Verification
9 replies 405 views
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#2Jan 3, 2019, 09:29 AM
See [Eng: Tutorial] PGP Signature - Encrypt/Decrypt message - Fingerprint.
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#3Jan 5, 2019, 08:33 AM
What's you OS? I assume Windows since you mentioned that in your other thread.
At any rate, for manual import; go to Bitcoin-Core's repo for the builder keys, here: https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys
Download your selected developer's gpg key (Click a 'name.gpg' file->'download raw file' icon), it will be saved as "name.gpg".
To import:
Open Kleopatra and double-click the GPG file that you've downloaded and it will be imported automatically.Go to Kleoparta's "Certificates" list, right-click on the just-imported key (actual name may be different from the file name), then select "Certify...".In the 'Certify Certificate' window, click "Certify" once you fully checked if the information in the certificate are true.
Then to verify: double-click "SHA256SUMS.asc" to automatically verify "SHA256SUMS" file.
With Kleopatra, it should work automatically if both files are in the same directory/folder and having the same file name.
Note: if ".asc" and ".gpg" files aren't associated with Kleopatra, double-click wont do anything until you select Kleopatra.
If so, tick "Always use this app to open .asc files" once you select "Kleopatra" as the associated app.
Please specify the errors.
If "hkps://keys.openpgp.org" doesn't work for you (like with some Windows users), use "hkps://keyserver.ubuntu.com".
Most likely the errors have something to do with not finding the required public keys with which to verify against, although you should only need one developer's public key and one verified SHA256SUMS file in order for the verification to work successfully.
I don't think most keyservers are working when you try to import a new key from there, so I would opt with directly downloading and importing it instead.
diamond_atlasSenior Member
Posts: 408 · Reputation: 1359
#5Jan 8, 2019, 03:05 AM
Learn Bitcoin has threads for Linux and Android too.
[Eng: Tutorial] PGP Signature - Encrypt/Decrypt message (Linux Only)
[Android Tutorial] PGP Signature - Encrypt/Decrypt message
I scrolled down about 20 pages through this tutorial regarding creating a Key Pair. I think this tutorial is way overkill for my needs. Permit me to "cut to the chase" on some basics to confirm that I'm in the ballpark:
1. From bitcoincore.org I downloaded: a. the Win exe. program for the latest iteration, 27.1, b. SHA256 binary hashes. This hash file has extension .asc and, opening with Notepad ++, I could copy/paste the exact line of binary hashes pertaining to my OS from the .exe program, b. I then used the Command Prompt and navigated to the .exe and entered: This output a binary hash string. I then compared it with the first hash, they matched, so I know I have clearance to install the .exe Correct so far?
2. Many people probably stop here and do the install w/o signature verification. However, I will attempt signature verification using the advice here. If I'm not successful, I'll probably do the install.
3. My understanding of signature verification: It could be that the binary hashes were hacked, so now I need to authenticate the binary hashes. To start that process, I first downloaded from the Core site the SHA256 hash signatures. Now, using kleopatra.exe I need to associate that with at least one developer's signature either from a keysaver URL or from a file download, either of which can be executed from the PGP program.
Other members hear have given links that I'll try for this purpose. Basically, I want to know, am I on the right track?
Thanks for the work you put in for such discrete details. Sorry if I have should have edited some of your lengthy quoted material above.
I had some success with your directions and some problems. I'll write the steps that I think I performed correctly, then indicate where I had problems:
OS: Win11Pro
a. manual import dev. key < your link < raw file icon < download to Desktop as davidgumberg.gpg = OK
b. rt. click, Open Kleo., appears as new certificate < certified with my newly created key = OK
Now I need to verify. First, I want to make sure we are talking about the right SHA256SUMS.asc file as there are two. I'm assuming we're talking about the hash signatures file and not the binary hash file, right? Yes, that must be correct, as we are verifying a signature. It's the file with an icon of a blue open lock.
When I right click on that and Open with Kleo. I get from Kleo a window that says that SHA256SUMS has been verified with SHA256SUMS.asc and then I get a list of 10 signatures that could not be verified and the ability to import each of them from the key.
But what happened to davidgumberg.gpg that I'm trying to verify? It seems like I'm dealing with apples and oranges and here I'm stuck.
Or maybe it means that I'm verified and good to go??
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#9Jan 8, 2019, 01:34 PM
That's how the process should be.
You verified that the "SHA256SUMS" file containing the hashes of Bitcoin Core binaries is legit by doing that.
So you can be certain that the hash that you're comparing to is correct.
For the 10 other signatures (you mean certificates? the signature is the .asc file.),
It's because you haven't imported and certified the other signing keys from the repo where you've downloaded "davidgumberg.gpg".
That's a "PGP public key" and it's not the one that you're verifying.
You've imported that to Kleopatra to make sure that the signature in the file "SHA256SUMS.asc" that is used to verify "SHA256SUMS" file is signed with it.
Thanks to your help, I'm better off than I thought, and I can now do my upgrade. Thanks again for sticking with me until I reached a solution.
Related topics
- Curious about recovering BTC from 2010/2011 7
- Issue with Bitcoin Core Wallet after power outage 8
- Transforming my wallet into an HD wallet bitcoin core 26 4
- What Should I Know About Multisig Wallets? 13
- mandatory-script-verify-flag-failed (Non-canonical DER signature issue) 19
- bitcoin-qt sync issues and slow speeds 6