Verifying Bitcoin Core

[Husna QA]

Is it worth/profitable running your gpu on Altcoins.
Regards

To compare which coins can still profit in mining using the GPU, you can see the following link:
https://whattomine.com/coins

FYI,

-snip-
Note:
You can ask further questions about mining bitcoin in the following thread:
https://bitcointalk.org/index.php?board=14.0

[mike2077]

Do I need to verify every time I run it?

[OmegaStarScream]

Do I need to verify every time I run it?

Not every time you run the executable, but each time a new version is released. You must verify the files before installing them.

[NobodyWantsMe]

When I look at the digital signature list for the installation file I used I am seeing "Bitcoin Core Code Signing Association", is that normal? I have v0.21.0

[Husna QA]

When I look at the digital signature list for the installation file I used I am seeing "Bitcoin Core Code Signing Association", is that normal? I have v0.21.0

As far as I know, the 'Bitcoin Core Code Signing Association' is a new certificate used by the Bitcoin Core team. Before v0.16, the installer signed by The Bitcoin Foundation.
https://github.com/bitcoincore-codesigning-association/bitcoincorecodesigning-dot-org

Final Windows and Mac installers are digitally signed by *'Bitcoin Core Code Signing Association'*. On Windows, you can check this by right clicking the installer, choosing properties, and then going to the Digital Signatures tab. Check that it is signed by *'Bitcoin Core Code Signing Association'*. (Note that prior to v0.16, installers were signed by The Bitcoin Foundation but the signing certificate expired, so Bitcoin Core developers [acquired new certificates](http://gnusha.org/bitcoin-core-dev/2017-11-09.log).)

Make sure you download Bitcoin Core from the official site, i.e .:
https://bitcoincore.org/en/download/
And verify the PGP signature. Look at the 'Verify release signatures' link.
https://bitcoincore.org/bin/bitcoin-core-0.21.0/SHA256SUMS.asc

[dautuonline]

Do I need to verify every time I run it?

You have the option of verifying or not verifying the signature

[Husna QA]

Do I need to verify every time I run it?

You have the option of verifying or not verifying the signature

There is no need to verify the GPG signature every time you run Bitcoin Core, just once when you want to install or update to the latest version. Although you can also ignore this process, checking the authenticity of the software through the GPG Signature verification from the original developer is highly recommended to minimize if you accidentally download Bitcoin Core from a fake link.

[Samrita]

how to verify it, anyone can help me.

[Husna QA]

how to verify it, anyone can help me.

You can verify the Bitcoin Core application using a terminal (command line prompt) or a third-party application such as Kleopatra or GPG keychain.
Here is an example of the verification results on macOS using the terminal:





You can learn more detailed tutorials on how to verify your download (Windows, macOS, Linux) here:
https://bitcoincore.org/en/download/

[Zara Zio]

Hey guyz
could you suggest how to verify bitcoin core and what are the different methods to verify bitcoin core iam expecting yur reply

[Husna QA]

Hey guyz
could you suggest how to verify bitcoin core and what are the different methods to verify bitcoin core iam expecting yur reply

You can see some instructions for verifying Bitcoin Core here (subtitle 'Verify your download'):
https://bitcoincore.org/en/download/.
Or you can also use software like Kleopatra (Windows OS) to verify Bitcoin Core. Or, if you are a macOS user, you can look at my previous post:
https://bitcointalk.org/index.php?topic=1588906.msg56936968#msg56936968.

[Cryptomultiplier]

Only a stupid person would fail to verify before running the core software on their computer. At this day and age where hackers need just one silly mistake to clean ones stack of coins, it is paramount to be security concious before using downloadable softwares...before use, verifying using a command line prompt or other third party applications available is wise. 

[Gorilla22]

I downloaded Bitcoin Core yesterday.
Name of signer:
Bitcoin Core Code Signing  LLC


Not Foundation like before, not Association like prwvious year.
But LLC!
Is it OK?
Is it legit?
Is it real signature?

[vv181]

Updates the Windows code signing certificate to a new one issued by Digicert. This certificate has been issued to Bitcoin Core Code Signing LLC registered in Delaware, US. Note that this is different from the previous Bitcoin Core Code Signing Association registered in Zurich, Switzerland as it was unable to meet the validation requirements in time.

Yes, it looks like there is a change of signing certificate and the guide on the first post hasn't been updated. If you want to make sure, just try the other verification options.

[Gorilla22]

The most important is if  they who are behind this LLC are the same people like before, not scammers or thieves. If they are the same good guys, then may be the only thing which is necessary is updating the first post in this thread? Or what do you think?
IMHO (as I am an unexperienced newbie).

[vv181]

The same developers still manage it as before, you can see on the referred link above, the one who tells it is @achow101, which is one of the bitcoin contributors.

Just a side note, it may be registered as LLC due to the requirement for acquiring the certificate. I think it's better not to rely on the Windows code signing certificate, I don't know how verifiable it is to be able to verify or check the authenticity of the software itself. You better use the second option, which was using the PGPs method. The guide on how to do it is also available on the Bitcoin Core Website(https://bitcoincore.org/en/download/).

[AakZaki]

I have downloaded Bitcoin Core Version 30.2 and it is verified

SHA256SUMS.asc is valid because there are already several "Good signatures" from the official signer of Bitcoin Core.
✅ Ava Chow (achow101)
✅ fanquake
✅ Gugger
✅ Hebasto
✅ pinheadmz

Bitcoin>certUtil -hashfile bitcoin-30.2-win64-setup.exe SHA256
SHA256 hash of bitcoin-30.2-win64-setup.exe:
45916d6b896637d738d132c40430d486cdb0331b173be1eee439a49dba95e66a
CertUtil: -hashfile command completed successfully.

45916d6b896637d738d132c40430d486cdb0331b173be1eee439a49dba95e66a  bitcoin-30.2-win64-setup.exe

Code:

gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Signature made 01/10/26 20:17:55 SE Asia Standard Time
gpg:                using RSA key 0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97D
gpg: Can't check signature: No public key
gpg: Signature made 01/10/26 08:11:26 SE Asia Standard Time
gpg:                using RSA key 152812300785C96444D3334D17565732E08E5E41
gpg:                issuer "me@achow101.com"
gpg: Good signature from "Ava Chow <me@achow101.com>" [full]
gpg:                 aka "Ava Chow <github@achow101.com>" [full]
gpg:                 aka "Ava Chow <achow101@pm.me>" [full]
gpg: Signature made 01/10/26 16:59:08 SE Asia Standard Time
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made 01/10/26 22:21:34 SE Asia Standard Time
gpg:                using RSA key CFB16E21C950F67FA95E558F2EEB9F5CC09526C1
gpg:                issuer "fanquake@gmail.com"
gpg: Good signature from "Michael Ford (bitcoin-otc) <fanquake@gmail.com>" [full]
gpg: Signature made 01/10/26 13:04:33 SE Asia Standard Time
gpg:                using RSA key F4FC70F07310028424EFC20A8E4256593F177720
gpg:                issuer "gugger@gmail.com"
gpg: Good signature from "Oliver Gugger <gugger@gmail.com>" [full]
gpg: Signature made 01/10/26 21:31:33 SE Asia Standard Time
gpg:                using RSA key D1DBF2C4B96F2DEBF4C16654410108112E7EA81F
gpg:                issuer "hebasto@gmail.com"
gpg: Good signature from "Hennadii Stepanov (GitHub key) <32963518+hebasto@users.noreply.github.com>" [unknown]
gpg:                 aka "Hennadii Stepanov (hebasto) <hebasto@gmail.com>" [unknown]
gpg: Note: This key has been disabled.
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
      D1DBF2C4B96F2DEBF4C16654410108112E7EA81F
gpg: Signature made 01/10/26 19:57:59 SE Asia Standard Time
gpg:                using RSA key E61773CD6E01040E2F1BD78CE7E2984B6289C93A
gpg:                issuer "pinheadmz@gmail.com"
gpg: Good signature from "Matthew Zipkin (GitHub Signing Key) <pinheadmz@gmail.com>" [full]
gpg: Note: This key has been disabled.
gpg: Signature made 01/10/26 12:05:10 SE Asia Standard Time
gpg:                using RSA key ED9BDF7AD6A55E232E84524257FF9BDBCC301009
gpg: Can't check signature: No public key

[Zreszko]

It is important to verify the integrity of Bitcoin Core before running it. Depending on how you downloaded it, it may have been modified in transit to do something evil when run. The server hosting the download may also have been compromised.

Helpful info, especially Easy Way 1 for those who are not comfortable with the command line yet. Quick question though — are there any known cases of the Bitcoin Foundation signing key being leaked in the past? Just wondering how much we can rely on that digital signature tab alone without doing the full gpg check every single time.