How to verify bitcoin binary with gpg pgp signature?

[cosurgi]

Hi,

This is constantly evolving, also I don't see any GPG signature to use on http://bitcoin.org/en/download so how to I verify this latest bitcoin binary?

For example on https://litecoin.org/ I see a GPG signature which I can use to verify easily using these commands:

Code:

wget https://litecoin.org/downloads/linux/litecoin-0.8.4.1-linux.tar.xz
wget https://litecoin.org/downloads/linux/litecoin-0.8.4.1-linux.tar.xz.asc
gpg --verify litecoin-0.8.4.1-linux.tar.xz.asc litecoin-0.8.4.1-linux.tar.xz

How is it done for bitcoin? Maybe it is even simpler for bitcoin, and I'm just blind. If it's not easier, then please could you fix the bitcoin binary download page?

[gmaxwell]

How is it done for bitcoin? Maybe it is even simpler for bitcoin, and I'm just blind. If it's not easier, then please could you fix the bitcoin binary download page?

Time for new glasses:

See "Verify release signatures" on http://bitcoin.org/en/download

[dserrano5]

Code:

$ gpg --verify SHA256SUMS.asc 
gpg: Signature made Fri 13 Sep 2013 02:27:02 AM CEST using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1
$ grep linux SHA256SUMS.asc; sha256sum bitcoin-0.8.5-linux.tar.gz 
84543f10de5e82ce6e88dd5a501db37c6327edf79a2a04f29199c24843e71f63  bitcoin-0.8.5-linux.tar.gz
84543f10de5e82ce6e88dd5a501db37c6327edf79a2a04f29199c24843e71f63  bitcoin-0.8.5-linux.tar.gz

[cosurgi]

Time for new glasses:
See "Verify release signatures" on http://bitcoin.org/en/download

Thanks, indeed. Here's how I did that:

copy-paste http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.5/SHA256SUMS.asc/view into some text file, in my case I called it bitcoin-0.8.5-linux.tar.gz.sig (I wish I could just use wget), then run this:

Code:

$ gpg --verify bitcoin-0.8.5-linux.tar.gz.sig
gpg: Signature made pią, 13 wrz 2013, 02:27:02 CEST using RSA key ID 1FC730C1
gpg: requesting key 1FC730C1 from hkp server subkeys.pgp.net
gpg: key 1FC730C1: public key "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>" imported
gpg: 5 marginal(s) needed, 2 complete(s) needed, classic trust model
gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   2  signed:   1  trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1

Looks OK.

Then compare that with

Code:

$ sha256sum bitcoin-0.8.5-linux.tar.gz
84543f10de5e82ce6e88dd5a501db37c6327edf79a2a04f29199c24843e71f63  bitcoin-0.8.5-linux.tar.gz

So I think that with litecoin it is much simpler. Just look in my opening post - it was a three liner for litecoin. Here I must copy paste, manually download from website, and perform a comparison of sha256sum written in the text file (likely with grep & copy-paste). With litecoin it was just two times wget, and one gpg call.

[dserrano5]

So I think that with litecoin it is much simpler. Just look in my opening post - it was a three liner for litecoin. Here I must copy paste, manually download from website, and perform a comparison of sha256sum written in the text file (likely with grep & copy-paste). With litecoin it was just two times wget, and one gpg call.

With bitcoin you download bitcoin itself and the SHA256SUMS file. Then you gpg validate it and compare the hashes. It's only an additional call to sha256sum so no big deal.

[cosurgi]

Hmm, that "This key is not certified with a trusted signature!" is a little unnerving. OTOH I did trust this signature with my money, perhaps I should tell about this level of trust to gpg? This way all future signature checks will say something like: level of trust - all your bitcoins.

What do you think?

[dserrano5]

Hmm, that "This key is not certified with a trusted signature!" is a little unnerving. OTOH I did trust this signature with my money, perhaps I should tell about this level of trust to gpg? This way all future signature checks will say something like: level of trust - all your bitcoins.

That is related to the GPG WoT and has nothing to do with bitcoin.