Bad Signature for the bitcoin-0.15.0.1 file

[ora.zhang]

Hi,
   I try to install the latest version of bitcoin-qt. But the GPG signature is not verified, downloading the new version from github and bitcoincore.org is tried. When I try to run the command 'gpg2 --verify bitcoin-0.15.0.1-osx.dmg.asc bitcoin-0.15.0.1-osx.dmg', the following message shows:

gpg: Signature made 二 9/19 20:16:05 2017 HKT
gpg:                  using RSA key 90C8019E36C2E964
gpg: BAD signature from "Wladimir J. van der lann (Bitcoin Core binary release signing key) <lannwj@gmail.com" [unkown]


Here is my asc file which is from the github.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJZwQqFAAoJEJDIAZ42wulkZQ0P/0hkk9rcBenvHjUAQ1mYeSAW
T8mxFosWT24TDR5EO3vgemaNpzmr3W4hs46gIuM7cIqmKHMPcYNdt3PkYUiu7x9A
nFf76AjeHjwDNclOas746I8vMMB6pry6qO4hFF2WuLKRlBYjMKJIMjYrkmm4kur6
8GUwvJX7XnfgzJxMCLkaBPLiTYCAwKqPks4hbGdn6OWEefS1EjrLY8U4Ytkt03ZU
OceP0LYuFIC0NhaOMzv6EPeH83WAeIQgqmx3xZfewqPCCmj/7g/eK8VLp6ouZ6oL
YSSMZerN+n6BNDYVYy42LVwF2wDqTHIyDHQy5MEd038oeVjs9aj4yXv/2snj08FB
H39mum1sx7AW2GfjZPO7XvjkyfEJphB0VWGxAh/Ht01pMA6LzoH87m1MU6GZVJ8w
jPHNqAmEanhINv00OFmfDBWIaY5EUpiA30T7OaH8Z8fiwpBVOoNMWS5aO02TAQtp
OUhSUaY5zorgguhKhZbPjBniP5IcdSLVfIPCYBCYIuoj1hnhtDkJUaajhvSpTbZT
SqPIW402aKSr0T/Dob7CwD5F2DRoq550BvbLQyE6PU0niXbX2SCIeGqRanrtT336
MExaKCnEWXOxhbSQd9tV1Se9IGLfR0ac3pFPINwtVXVum20sTN79B3rBS3OlzC3d
1T7DWnSvkb2o6glQ00SL
=kBtV
-----END PGP SIGNATURE-----

I also try the shasum to check the md5 signature, but it works.
Could someone give me some info about 'the bad pgp signature' ?

[1715076326]

1715076326

[1715076326]

1715076326

[1715076326]

1715076326

[1715076326]

1715076326

[Lauda]

Can you try doing the same for Bitcoin Core 0.14.0 and 0.15.0 just in order to see whether this issue is limited to your end or a specific version? I've sent Wladimir a message and don't have OSX myself to test on it.

[cr1776]

Can you try doing the same for Bitcoin Core 0.14.0 and 0.15.0 just in order to see whether this issue is limited to your end or a specific version? I've sent Wladimir a message and don't have OSX myself to test on it.

I can test on OS X later today if needed. (After an outing with the kids)

[Lauda]

Can you try doing the same for Bitcoin Core 0.14.0 and 0.15.0 just in order to see whether this issue is limited to your end or a specific version? I've sent Wladimir a message and don't have OSX myself to test on it.

I can test on OS X later today if needed. (After an outing with the kids)

Yes please. Post your results using the same command as OP for all three versions. This should help myself, Wladimir and anyone else looking into this.

Thanks.

[ora.zhang]

Can you try doing the same for Bitcoin Core 0.14.0 and 0.15.0 just in order to see whether this issue is limited to your end or a specific version? I've sent Wladimir a message and don't have OSX myself to test on it.

I tried these versions 0.15.0, 0.14.0,0.13.0, unfortunately there is a good signature found. I also tried downloading the dmg package and verified in window pc, it also failed. Here is a asc file I used(Sorry, I don't find a way to upload file), could you help to have a look at it in case I do something wrong when I copied it from the SHA256SUMs.asc file.

Here is the content of the file, and I use notpad++ to create this file:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJZwQqFAAoJEJDIAZ42wulkZQ0P/0hkk9rcBenvHjUAQ1mYeSAW
T8mxFosWT24TDR5EO3vgemaNpzmr3W4hs46gIuM7cIqmKHMPcYNdt3PkYUiu7x9A
nFf76AjeHjwDNclOas746I8vMMB6pry6qO4hFF2WuLKRlBYjMKJIMjYrkmm4kur6
8GUwvJX7XnfgzJxMCLkaBPLiTYCAwKqPks4hbGdn6OWEefS1EjrLY8U4Ytkt03ZU
OceP0LYuFIC0NhaOMzv6EPeH83WAeIQgqmx3xZfewqPCCmj/7g/eK8VLp6ouZ6oL
YSSMZerN+n6BNDYVYy42LVwF2wDqTHIyDHQy5MEd038oeVjs9aj4yXv/2snj08FB
H39mum1sx7AW2GfjZPO7XvjkyfEJphB0VWGxAh/Ht01pMA6LzoH87m1MU6GZVJ8w
jPHNqAmEanhINv00OFmfDBWIaY5EUpiA30T7OaH8Z8fiwpBVOoNMWS5aO02TAQtp
OUhSUaY5zorgguhKhZbPjBniP5IcdSLVfIPCYBCYIuoj1hnhtDkJUaajhvSpTbZT
SqPIW402aKSr0T/Dob7CwD5F2DRoq550BvbLQyE6PU0niXbX2SCIeGqRanrtT336
MExaKCnEWXOxhbSQd9tV1Se9IGLfR0ac3pFPINwtVXVum20sTN79B3rBS3OlzC3d
1T7DWnSvkb2o6glQ00SL
=kBtV
-----END PGP SIGNATURE-----

[wumpus]

Where did you get those files? I think they are falsified! BE VERY CAREFUL and don't run it.

- My name is not "Wladimir J. van der lann" but "Wladimir J. van der Laan" (and my mail is not lannwj@gmail.com either)
- There is no "bitcoin-0.15.0.1-osx.dmg.asc". The only signed file in the distribution should be "SHA256SUMS.asc" which contains a list of SHA256 hashes, one for every file.

I followed the following steps on the command line to manually check the correctness of the release signing signature on 0.15.0.1:

Code:

$ wget https://bitcoin.org/bin/bitcoin-core-0.15.0.1/bitcoin-0.15.0.1-osx.dmg
$ wget https://bitcoin.org/bin/bitcoin-core-0.15.0.1/SHA256SUMS.asc
$ gpg < SHA256SUMS.asc | sha256sum -c --ignore-missing
gpg: Signature made Tue 19 Sep 2017 02:16:05 PM CEST
gpg:                using RSA key 0x90C8019E36C2E964
gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>" [ultimate]
bitcoin-0.15.0.1-osx.dmg: OK

Do not run any dmg or other binary until you get an output like this.

[ora.zhang]

Where did you get those files? I think they are falsified! BE VERY CAREFUL and don't run it.

- My name is not "Wladimir J. van der lann" but "Wladimir J. van der Laan" (and my mail is not lannwj@gmail.com either)
- There is no "bitcoin-0.15.0.1-osx.dmg.asc". The only signed file in the distribution should be "SHA256SUMS.asc" which contains a list of SHA256 hashes, one for every file.

I followed the following steps on the command line to manually check the correctness of the release signing signature on 0.15.0.1:

Code:

$ wget https://bitcoin.org/bin/bitcoin-core-0.15.0.1/bitcoin-0.15.0.1-osx.dmg
$ wget https://bitcoin.org/bin/bitcoin-core-0.15.0.1/SHA256SUMS.asc
$ gpg < SHA256SUMS.asc | sha256sum -c --ignore-missing
gpg: Signature made Tue 19 Sep 2017 02:16:05 PM CEST
gpg:                using RSA key 0x90C8019E36C2E964
gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>" [ultimate]
bitcoin-0.15.0.1-osx.dmg: OK

Do not run any dmg or other binary until you get an output like this.

Thanks Wladimir. I spelled incorrect name and email when I post this topic.ou

I run the command in your reply and 'good signature' shows. Thanks a lot.  But I'm still wondering why I failed, since normally I use the following way to check pgp, and it works for electrum and dash wallet. Would you mind to get me hints?

Here is what I did to check the signature:
1. Dowload the 'bitcoin-0.15.0.1-osx.dmg' and 'SHA256SUMS.asc'.
2. 'touch bitcoin-0.15.0.1-osx.dmg.asc' file and copy the signature part from 'SHA256SUMS.asc' file.
3. run 'gpg2 --verify bitcoin-0.15.0.1-osx.dmg.asc bitcoin-0.15.0.1-osx.dmg'.

[wumpus]

2. 'touch bitcoin-0.15.0.1-osx.dmg.asc' file and copy the signature part from 'SHA256SUMS.asc' file.

When you change a file, or crop part out of it, you invalidate the signature. It would be more worrying if that worked.

[ora.zhang]

2. 'touch bitcoin-0.15.0.1-osx.dmg.asc' file and copy the signature part from 'SHA256SUMS.asc' file.

When you change a file, or crop part out of it, you invalidate the signature. It would be more worrying if that worked.

Thanks a lot for your info.