Bitcoin Forum
December 12, 2017, 09:18:24 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Multiple devs signed binaries ... ?  (Read 654 times)
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2464



View Profile
October 17, 2012, 01:32:33 AM
 #1

It's been said various places that multiple devs sign the binaries (all built separately using identical VM and etc).

The links from the main Bitcoin page (has PGP links for devs) go to sourceforge download page http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/ Here there is SHA256SUM.asc, verifies as good signature for linux tar ball from Gavin.

Where are the other signatures from other devs verifying the SHA256SUM of the linux tar ball located or how is that done?

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513070304
Hero Member
*
Offline Offline

Posts: 1513070304

View Profile Personal Message (Offline)

Ignore
1513070304
Reply with quote  #2

1513070304
Report to moderator
1513070304
Hero Member
*
Offline Offline

Posts: 1513070304

View Profile Personal Message (Offline)

Ignore
1513070304
Reply with quote  #2

1513070304
Report to moderator
1513070304
Hero Member
*
Offline Offline

Posts: 1513070304

View Profile Personal Message (Offline)

Ignore
1513070304
Reply with quote  #2

1513070304
Report to moderator
Pieter Wuille
Legendary
*
qt
Offline Offline

Activity: 1050


View Profile WWW
October 17, 2012, 01:38:23 AM
 #2

Gavin signs the package that is uploaded, but the reports of the built itself, and signatures of that are uploaded here.

aka sipa, core dev team

Tips and donations: 1KwDYMJMS4xq3ZEWYfdBRwYG2fHwhZsipa
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2464



View Profile
October 17, 2012, 02:23:29 AM
 #3

Gavin signs the package that is uploaded, but the reports of the built itself, and signatures of that are uploaded here.


Thanks ... what does this mean ?

Code:
$ gpg --verify bitcoin-build.assert.sig
gpg: Signature made Wed 19 Sep 2012 03:36:41 AM NZST using RSA key ID 2346C9A6
gpg: BAD signature from "Wladimir J. van der Laan <laanwj@gmail.com>"

Code:
$ gpg --verify bitcoin-build.assert.sig
gpg: Signature made Tue 18 Sep 2012 11:13:44 AM NZST using RSA key ID C87992E0
gpg: BAD signature from "Pieter Wuille (Dept. of Computer Science, KULeuven) <pieter.wuille@cs.kuleuven.be>"

TheBlueMatt doesn't have a PGP signing key advertised anywhere prominently that I could see so didn't test that one ....

(I downloaded the bitcoin-build.assert files from github and imported gpg keys of you guys from key server, and directly from linked bitcoin front page)

Is there a special method needed to download/verify these bitcoin-build.assert files or should straight gpg work?

EDIT: okay I was able to get some good signatures ... if anybody else is wondering you need to download both .sig and bitcoin-build.assert files as raw (right click Save As on Raw button) , it seems git must add something even when you use "wget" ... maybe needs a binary ftp or ... ?

Will look like this

Code:
$ gpg --verify bitcoin-build.assert.sig
gpg: Signature made Tue 18 Sep 2012 11:13:44 AM NZST using RSA key ID C87992E0
gpg: Good signature from "Pieter Wuille (Dept. of Computer Science, KULeuven) <pieter.wuille@cs.kuleuven.be>"
gpg:                 aka "Pieter Wuille (Location: Leuven, Belgium) <sipa@ulyssis.org>"
gpg:                 aka "Pieter Wuille (Location: Leuven, Belgium) <pieter@wuille.biz>"
gpg:                 aka "Pieter Wuille (Location: Leuven, Belgium) <pieter.wuille@gmail.com>"
gpg:                 aka "[jpeg image of size 6073]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D762 373D 2490 4A3E 42F3  3B08 B9A4 08E7 1DAA C974
     Subkey fingerprint: E3F8 2E40 73CC 179E 70F1  F44B 8F65 3255 C879 92E0

and

Code:
$ gpg --verify bitcoin-build.assert.sig
gpg: Signature made Wed 19 Sep 2012 03:36:41 AM NZST using RSA key ID 2346C9A6
gpg: Good signature from "Wladimir J. van der Laan <laanwj@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 71A3 B167 3540 5025 D447  E8F2 7481 0B01 2346 C9A6

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!