I've downloaded bitcoin-0.8.6-win32-setup.exe, how do I gpg verify.

[krileayn]

When I downloaded a litecoin wallet I found a great walk thru to verify the file was safe using this link

https://litecointalk.org/index.php?topic=5116.0

I have now downloaded the latest bitcoin wallet  bitcoin-0.8.6-win32-setup.exe, but I'm not sure how to gpg verify it. I've searched around but not had much luck.
If anybody could point me to a step by step guide, would appreciate.

[flatfly]

There are some pretty clear steps posted in this discussion:

http://www.reddit.com/r/Bitcoin/comments/1tin7f/warning_a_fake_electrum_website_with_malware_is/

[krileayn]

thank for the link flatfly, it does provide more info, but it's for linux, do you know of a windows guide. Thanks

[Abdussamad]

Do a sha256sum of the file. Look up freeware that lets you calculate sha256 checksums of a file. Fedora project seems to recommend this:

http://docs.fedoraproject.org/en-US/Fedora/16/html/Burning_ISO_images_to_disc/sect-Burning_ISO_images_to_disc-Validating_the_Files-Validating_at_the_Windows_Command_Prompt.html

Then compare with the sha256sum.asc file here:

http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.6/



Finally verify the signature in that .asc file is from Jeff Garzik or not:

http://bitcoin.org/en/development

Edit: It may be that that .asc file carries gavin's sig. Check for both.

edit2 : Use http://gpg4win.org/

[krileayn]

Thanks for the info Abdussamad, but I'm still struggling.

I have gpg4win installed (kleopatra)

I downloaded the Sha256sum.asc file from your link, I then right click it and select "verify" but it just says " no signature found"
Totally confused 

[flatfly]

Thanks for the info Abdussamad, but I'm still struggling.

I have gpg4win installed (kleopatra)

I downloaded the Sha256sum.asc file from your link, I then right click it and select "verify" but it just says " no signature found"
Totally confused  

Before verifying, you need to download and import
Gavin's public GPG key (ID 0x1FC730C1) into your computer. I'm not familiar with the exact steps to follow in kleopatra but it shouldn't be too complicated.

[Abdussamad]

Thanks for the info Abdussamad, but I'm still struggling.

I have gpg4win installed (kleopatra)

I downloaded the Sha256sum.asc file from your link, I then right click it and select "verify" but it just says " no signature found"
Totally confused 

Before verifying, you need to download and import
Gavin's public GPG key (ID 0x1FC730C1) into your computer. I'm not familiar with the exact steps to follow in kleopatra but it shouldn't be too complicated.

Yeah you can find the sigs on the bitcoin.org page I linked above.

[krileayn]

Thanks for your patience.

I have imported Gavin Anderson 0x1FC730C1 and he now appears in my trusted certificates.
I then tried to verify the file SHA256SUMS.asc which i downloaded from http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.6/
Both SHA256SUMS.asc and the exe file are in the same folder.

I checkmark "input file is a detached signature"
Input file is : bitcoin...windows..exe
I select signed data : SHA256SUMS.asc
Click verify
Get error " Could not determine whether this is S/MIMe or OpenPGP signature


When I put input file :  SHA256SUMS.asc
and signed data : bitcoin...windows..exe
Click Verify
Get error SHA256SUMS.asc no signature

I suspect I'm missing something simple, but encryption is new to me. If you have any further ideas would appreciate
Thanks for your help

[Abdussamad]

@OP we are not Windows users or this would all be easy for us to explain to you. On Linux we use the command line. So with that said see this thread for Windows command line instructions.

If you can't do the above then wait for another Windows user to chime in with step by step instructions.

And BTW the bitcoin .asc files are NOT detached signatures. They actually signatures of the sha256sums not the .exe file itself.

[krileayn]

@OP we are not Windows users or this would all be easy for us to explain to you. On Linux we use the command line. So with that said see this thread for Windows command line instructions.

If you can't do the above then wait for another Windows user to chime in with step by step instructions.

And BTW the bitcoin .asc files are NOT detached signatures. They actually signatures of the sha256sums not the .exe file itself.

Thanks Abdussamad, that thread is just what I was looking for.

[HellDiverUK]

Surely if you download it from the official web site (as linked at the top of the forum), you don't need to verify signatures? 

Where's my tinfoil hat smilie?

[krileayn]

Surely if you download it from the official web site (as linked at the top of the forum), you don't need to verify signatures? 

Where's my tinfoil hat smilie?

You're right, and I'm not normally so paranoid,   but I want to get into the habit of good practices.
Never had a reason to worry about verifying signatures but I think when it comes to money, it makes sense to get into the habit of verifying files etc.

[Abdussamad]

Surely if you download it from the official web site (as linked at the top of the forum), you don't need to verify signatures? 

LOL official website as linked on the top of the forum. How many times has the forum been hacked now?

Websites get hacked all the time especially bitcoin related sites. We need to take every precaution we can.

[flatfly]

BTW, there are some additional tips on how to verify GPG signatures under Windows in that Armory thread.

[krileayn]

BTW, there are some additional tips on how to verify GPG signatures under Windows in that Armory thread.

thanks flatfly, I will work through this