Title: Multiple devs signed binaries ... ? Post by: marcus_of_augustus on October 17, 2012, 01:32:33 AM It's been said various places that multiple devs sign the binaries (all built separately using identical VM and etc).
The links from the main Bitcoin page (has PGP links for devs) go to sourceforge download page http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/ (http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/) Here there is SHA256SUM.asc, verifies as good signature for linux tar ball from Gavin. Where are the other signatures from other devs verifying the SHA256SUM of the linux tar ball located or how is that done? Title: Re: Multiple devs signed binaries ... ? Post by: Pieter Wuille on October 17, 2012, 01:38:23 AM Gavin signs the package that is uploaded, but the reports of the built itself, and signatures of that are uploaded here (https://github.com/bitcoin/gitian.sigs).
Title: Re: Multiple devs signed binaries ... ? Post by: marcus_of_augustus on October 17, 2012, 02:23:29 AM Gavin signs the package that is uploaded, but the reports of the built itself, and signatures of that are uploaded here (https://github.com/bitcoin/gitian.sigs). Thanks ... what does this mean ? Code: $ gpg --verify bitcoin-build.assert.sig Code: $ gpg --verify bitcoin-build.assert.sig TheBlueMatt doesn't have a PGP signing key advertised anywhere prominently that I could see so didn't test that one .... (I downloaded the bitcoin-build.assert files from github and imported gpg keys of you guys from key server, and directly from linked bitcoin front page) Is there a special method needed to download/verify these bitcoin-build.assert files or should straight gpg work? EDIT: okay I was able to get some good signatures ... if anybody else is wondering you need to download both .sig and bitcoin-build.assert files as raw (right click Save As on Raw button) , it seems git must add something even when you use "wget" ... maybe needs a binary ftp or ... ? Will look like this Code: $ gpg --verify bitcoin-build.assert.sig and Code: $ gpg --verify bitcoin-build.assert.sig |