How can you confirm the bitcoin core uses the files from github?

[BlackHatCoiner]

When we download bitcoin core we just download an exe. How can I see that they are the same files from github too? I'm not a suspicious guy I just want to understand how this goes since there is no possible way to convert the exe to the c++ files. (As far as I know)

[ranochigo]

You can't. Corrected below. The only way is either:
1. You trust that the hash is accurate and the person isn't lying.
2. You download the entire source code and compile it yourself. If you're not reviewing the code yourself, I find it pretty pointless since you're just blindly downloading and compiling it. Else, you can review and compile Bitcoin Core using this guide[1].




[1] https://github.com/bitcoin/bitcoin/blob/master/doc/build-windows.md

[BlackHatCoiner]

You can't. The only way is either:
1. You trust that the hash is accurate and the person isn't lying.
2. You download the entire source code and compile it yourself. If you're not reviewing the code yourself, I find it pretty pointless since you're just blindly downloading and compiling it. Else, you can review and compile Bitcoin Core using this guide[1].




[1] https://github.com/bitcoin/bitcoin/blob/master/doc/build-windows.md

If the hash is SHA256 I trust it since there hasn't been any SHA256 collision ever.

[NotATether]

The way releases are made on Github is that a branch is chosen to appear in the Release tab, and Github compresses the branch into an archive and puts it in the Releases tab labeled as source code, so the sources you download form Releases really is the one that matches the Github repo[1].

As for the binary files, it's already been stated that there's no way to verify them. In fact, Github lets you upload any file from your computer and it will label it as a binary. It's supposed to be an executable or installer or a compressed folder of a portable program that is compiled from the source tree but it can be abused to upload malware.

Bitcoin's Github page says you should download the exe's from bitcoincore.org so use that instead of downloading them for Github.
[1] https://help.github.com/en/github/administering-a-repository/managing-releases-in-a-repository

[achow101]

You can't.

Not true. You can.

Bitcoin Core's releases are built using a deterministic build process. This means that given a specific set of source code, compiling it with the deterministic build system will always result in identical binaries (and thus identical hashes). If the code you compile is different, then you will get a different binary (and thus different hashes). You can perform a deterministic build yourself and compare the result against the binaries uploaded to bitcoincore.org. All you have to do is setup gitian and follow the instructions.

When releases are done, multiple developers perform gitian builds and check that their results match. If there is a mismatch, the release won't go through as we try to figure out why there was a mismatch. Everyone who participates in this build process uploads their hashes and a PGP signature of those hashes to https://github.com/bitcoin-core/gitian.sigs