Having trouble verifying SHA256SUMS.asc

[ProbablyDrunk]

I downloaded SHA256SUMS.asc from https://bitcoincore.org/en/download/. When I run shasum -c SHA256SUMS.asc I get:

Code:

Oberon:Downloads remco$ shasum -c SHA256SUMS.asc
shasum: SHA256SUMS.asc: no properly formatted SHA checksum lines found

Ideas? I'm on a Mac (OSX 11.5.2)

[1715127565]

1715127565

[1715127565]

1715127565

[BitMaxz]

Can you add more space before SHA256SUMS.asc

Sample

Code:

shasum -c  SHA256SUMS.asc

Add space between -c and SHA256SUMS.asc so it should be two spaces and test if it will work.

I just got the idea from this link below

- https://unix.stackexchange.com/questions/139891/why-does-verifying-sha256-checksum-with-sha256sum-fail-on-debian-and-work-on-u

[ProbablyDrunk]

Thanks but that makes no difference.

[ProbablyDrunk]

Additionally I tried doing this on Linux and I get the same result.

[achow101]

For Bitcoin Core 22.0, the hashes are located in the SHA256SUMS file which you can download from https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS. SHA256SUMS.asc just contains the GPG signatures; you will need that file too in order to verify the release.

The website still needs to be updated for the new release format.

[ProbablyDrunk]

Thanks, that worked better. Even so, the result of GPG verification is not what I expect:

Code:

Untrusted signature
.0xB10C <0xb10c@gmail.com>
0CCB AAFD 76A2 ECE2 CCD3  141D E2FF D5B1 D88C A97D

https://i.imgur.com/xjyRBET.jpg

From what I understand it's expected that file is signed by Wladimir van der Laan. Trying to be a responsible citizen here.

[ProbablyDrunk]

With a bit more Googling it seems that 0xb10c is a Bitcoin Core developer. Found his blog https://b10c.me/ and that is indeed his email address. So it looks legit I guess.

This part could be a bit clearer though for people starting to run their own node like me... I couldn't find any instructions on this on bitcoincore.org itself. Would be nice if it was part of the FAQ.

[achow101]

The format changed starting with 22.0. The signatures file actually contains signatures from several developers. The standard gpg --verify command will verify all of those signatures.

The website will be updated with detailed instructions.

[ProbablyDrunk]

Cool; thanks for your help.

[AdolfinWolf]

Ok so basically we download the sigs from

https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS.asc

then the hashes from...

https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS

btw, this is indeed kinda hidden for now it seems, couldn't find it anywhere, not on github, not on bitcoincore.org, though perhaps I did not search hard enough on github..

then?

Code:

--verify SHA256SUMS.asc SHA256SUMS

and shasum your individual release and recheck obviously.

Now this kinda assumes I have all the signers imported already. Obviously I don't and i'm not sure I care that much to import them all in a "decentralized - individual" manner (I think that's more or less the intention of this change?)

I'm scrolling to see if I can verify Wladimir's signature with his old (11+) key, but no luck.

Any easy way to check the signers and how much authority they hold as someone who isn't that involved?
Edit: I guess the latter part of the question is still somewhat relevant though every individual will probably weigh this differently.

I have a couple names + email addresses - easiest way for now seems to google them and add them individually..?

I guess achow's key works. (EDIT: for those wondering: Imported using https://github.com/bitcoin/bitcoin/blob/master/contrib/builder-keys/keys.txt, which? corresponds with http://achow101.com/achow101.pgp, and thus? trustworthy) &

Code:

 gpg --keyserver keyserver.ubuntu.com --receive-keys 152812300785C96444D3334D17565732E08E5E41