what should be md5sum of bitcoin-0.8.1-linux.tar.gz ?

[cosurgi]

Hi,

I just downloaded an update for bitcoin-qt client from bitcoin.org. The download is redirected from bitcoin.org to http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/bitcoin-0.8.1-linux.tar.gz/download

I am worried that sourceforge.net might have been hacked, and nobody noticed yet. I did a search for md5sum of bitcoin-0.8.1-linux.tar.gz, but couldn't find it anywhere on the official site. Therefore this binary is not to be trusted.

I am afraid that if I launch it, it will steal all my coins.

on my side the md5sum is

Code:

$ md5sum bitcoin-0.8.1-linux.tar.gz
1f6698135cfab8695e0f826ffc428d4c  bitcoin-0.8.1-linux.tar.gz

But I prefer that one of developers confirm this (not by redownloading it from aforementioned address, since it might have been compromised).

Bitcoin developers: could you implement some method of using digital signatures on your released binaries? Debian for example has pgp keys which authorize a package repository.

I could resort to recompiling myself, and first comparing source code between my current version and a new one, to make sure that no malicious code got in. But we are talking about user-friendly bitcoin. So I am not going to do this, because bitcoin should not be only for people who can read and write code. We need some security on released binaries.

Better safe than sorry. This is why I posted this question. And I really do not intend to offend developers. I am only asking, because I want to be safe.

[1714944265]

1714944265

[1714944265]

1714944265

[1714944265]

1714944265

[1714944265]

1714944265

[wumpus]

If you use sha1sum or sha256sum, you can verify those hashes by comparing them to the following,

http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/SHA256SUMS.asc/download
http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/SHASUMS.asc/download

They are signed with Gavin's GPG key. For example the following checks out here:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

6d7f023a9df1a436c51de83f7cd751f162be9b4fb1c06da05545f9fba7cb2a98  bitcoin-0.8.1-linux.tar.gz
dddc563af906e766900868970fd2146a1cad792fd7089f034d46ad0e838ce99f  bitcoin-0.8.1-macosx.dmg
2d447daad6cba12a4dd29de4ffbbd00c5634f45818d39cc12ce27ad964c905a6  bitcoin-0.8.1-win32-setup.exe
08abe51623361df111bad5722f167503f01bb016d728bd1ebcf83069636c9fde  bitcoin-0.8.1-win32.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQIcBAEBCAAGBQJRRkNCAAoJECnZ7msfxzDBPC0P/A/vk81jj0SpWIwMQkO3+Agt
A/lNcBZeBZI3RxirBmbJU+8yUoMI4mlMqTMc0FdXoNFhkUjo5O/v3xZy/FjCYEu0
HgOO71KUc4txNkdP1HIkODnpqr2hoqKf1E8erZwXr7GyEGyBckQN0b8ewjAO9Mpg
1xL6izQceZGi32tQuMp+MY86l2eaDiT1CvvJnobJ/bEZgVEwwmOp8fFDCXi1aQ7Z
aYkv5XuKhNx5cHokva+WqoLbk5Z2QHg72IhBR1NkNXWEVz/RXfaf1i9Xmx3G/Use
VtifyXrGuzv784gohnfYaarPEbjByK2QW/chKif5G3N6ZdFgskl1Ov52ugcaKIAS
ad8QUJLVR3SSoQ1ohIcBLCtc7vTjOyBm+JW0hd7LH9tOucPY1awQ3RLlFbsMvxXS
ZBeCOV/JzcOZiAF2iYlzi/VL46c+kqhqd5N0QqJho3TSkiLd8zCv6CB/7ECNDJxF
XATgjfAfLuJmypq9QVpqbUW+Nlnt0sFRzo1YH6xgqRrptW3VcGn5gq3+Uda74i6W
+KZOZa45wlrEB31HrPz3Hssi3Mkr0BomsdoAuJu8iNmaCSjMYwxcdrXpMn0qabjU
ls+o16Jk3eg8Vsc2imzjFlI3W427tcY4yuF1W++NBbeLAvRHisIOgQkRmS37i2WZ
on9c/1GJ+slPJ4RCcCyu
=eLo8
-----END PGP SIGNATURE-----

[cosurgi]

Great thanks! I will check this shortly.

Can you remind me how I can verify Gavin's signature, or I need to find this myself?

[wumpus]

Great thanks! I will check this shortly.

Can you remind me how I can verify Gavin's signature, or I need to find this myself?

First, fetch and import Gavin's key.

$ gpg --search-keys 1FC730C1
gpg: searching for "1FC730C1" from hkp server keys.gnupg.net
(1)     Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>
          4096 bit RSA key 1FC730C1, created: 2011-12-15
Keys 1-1 of 1 for "1FC730C1".  Enter number(s), N)ext, or Q)uit > 1

Then verify the .asc:

$ gpg /tmp/SHA256SUMS.asc
gpg: Signature made Sun 17 Mar 2013 11:27:14 PM CET using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"

[cosurgi]

I did this, and I get a warning

Code:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1

I'm not surprised. Because I did not verify this key in any way. Do you have any hints on how to verify it?