Please help with the verification of bitcoincore !!!

[Muromskiy]

Hello, People!

I do all the actions to check the wallet on the macbook as it is written on the website bitcoincore.org

1 action :

https://a.radikal.host/2022/07/05/IMG_20220705_045718.jpg

2 action :

https://a.radikal.host/2022/07/05/IMG_20220705_025929738f217c999061aa.jpg

3 action :

https://a.radikal.host/2022/07/05/IMG_20220705_054232.jpg

Question: By action 2, we add 1 key to gpg suite! Why, after 3 actions, a lot of developer keys appear in the key manager if we added only 1.

https://a.radikal.host/2022/07/05/IMG_20220705_054716.jpg

Question: After all these actions, I right-click on the installation file to check the signature in gpg suite -an error comes out.

https://a.radikal.host/2022/07/05/IMG_20220705_055623.jpg

[1715645923]

1715645923

[1715645923]

1715645923

[achow101]

Question: By action 2, we add 1 key to gpg suite! Why, after 3 actions, a lot of developer keys appear in the key manager if we added only 1.

The signatures file contains many signatures created by multiple developers. You have imported one key, but gpg will check all of the signatures, and it tells you that it was unable to verify the other signatures.

So long as you import at least one key of a developer you trust, and that signature verifies, then the binary is fine.

Question: After all these actions, I right-click on the installation file to check the signature in gpg suite -an error comes out.

The dmg file itself is not signed. There is no direct signature of it. Rather it's SHA256 hash is signed, along with the SHA256 hashes of all of the other binaries that you could download. What you do is check that the SHA256 of the dmg matches the SHA256 stated in the SHA256SUMS file (which you did as Action 1), and then verify the signatures on that SHA256SUMS file (which you did one of in Action 3).

[Muromskiy]

Question: By action 2, we add 1 key to gpg suite! Why, after 3 actions, a lot of developer keys appear in the key manager if we added only 1.

The signatures file contains many signatures created by multiple developers. You have imported one key, but gpg will check all of the signatures, and it tells you that it was unable to verify the other signatures.

So long as you import at least one key of a developer you trust, and that signature verifies, then the binary is fine.

Question: After all these actions, I right-click on the installation file to check the signature in gpg suite -an error comes out.

The dmg file itself is not signed. There is no direct signature of it. Rather it's SHA256 hash is signed, along with the SHA256 hashes of all of the other binaries that you could download. What you do is check that the SHA256 of the dmg matches the SHA256 stated in the SHA256SUMS file (which you did as Action 1), and then verify the signatures on that SHA256SUMS file (which you did one of in Action 3).

Hi! People!

step 1 checks sha256 ? right ?

for persuasion , you need to additionally check with this command ?shasum -a 256 bitcoin-23.0-x86_64-apple-darwin.dmg  to verify manually !
 

[nc50lc]

Hi! People!

step 1 checks sha256 ? right ?

for persuasion , you need to additionally check with this command ? shasum -a 256 bitcoin-23.0-x86_64-apple-darwin.dmg  to verify manually !

Yes, and compare it with the hashes listed in SHA256SUMS file.
Then verify "SHA256SUM" file using "SHA256SUM.asc" either at the start of after those steps.

Here's some images for reference (it's for a different OS so the command is different):
Get the binary's SHA256sum

Open SHA256SUMS as text, then check if the binary's hash is the same as the result in the previous step

Both are the same: 52eefbaf8cfd292822e470a48a51e1eb51081d43a0a16db7441f34a017ff6097

[NotATether]

The dmg file itself is not signed. There is no direct signature of it. Rather it's SHA256 hash is signed, along with the SHA256 hashes of all of the other binaries that you could download. What you do is check that the SHA256 of the dmg matches the SHA256 stated in the SHA256SUMS file (which you did as Action 1), and then verify the signatures on that SHA256SUMS file (which you did one of in Action 3).

Is the reason the DMG (and possibly the EXE/MSI windows binaries as well - tar.gz does not support signatures anyway) is not signed because of the complexity of getting and maintaining a code-signing certificate from a 3rd party? I would like to hear the developers' stance on this.

[Muromskiy]

Hi! People!

step 1 checks sha256 ? right ?

for persuasion , you need to additionally check with this command ? shasum -a 256 bitcoin-23.0-x86_64-apple-darwin.dmg  to verify manually !

Yes, and compare it with the hashes listed in SHA256SUMS file.
Then verify "SHA256SUM" file using "SHA256SUM.asc" either at the start of after those steps.

Here's some images for reference (it's for a different OS so the command is different):
Get the binary's SHA256sum

Open SHA256SUMS as text, then check if the binary's hash is the same as the result in the previous step

Both are the same: 52eefbaf8cfd292822e470a48a51e1eb51081d43a0a16db7441f34a017ff6097

means 2 action "command GPG --server hkps://keys.for OpenPGP.org --reception-keys E777299FC265DD04793070EB944D35F9AC3DB76A" I add the key "Michael Ford" and then I drive the command "shasum -in 256 SHA256SUMS.asc" - it shows 3 action!
 3 action shows 16 participants and including "Michael Ford" - a valid user signature.

1 questio - Why after -Why did a lot of participants appear in the keys after 3 actions if I added only 1 -Michael Ford?
https://a.radikal.host/2022/07/05/IMG_20220705_054716.jpg

2 question - the shazam -256 SHA256SUMS.asc command what does it have to do with checking the "bitcoincore" installation file? I can 't get the gist of it .
the output of the command: a valid user signature gives additional confidence that the installation file "bitcoincore.dmg" is really good?

3 question -checking the sha256 installation file is not enough to make sure that the file is good?

[DireWolfM14]

Is the reason the DMG (and possibly the EXE/MSI windows binaries as well - tar.gz does not support signatures anyway) is not signed because of the complexity of getting and maintaining a code-signing certificate from a 3rd party? I would like to hear the developers' stance on this.

The Windows binaries for release 23.0 (and IIRC 22.0 as well) were indeed signed by a Microsoft code signing certificate.  One of the recent release wasn't signed because the certificate was expired at the time of release (if I remember correctly,) but that's an exception not the rule.

1 questio - Why after -Why did a lot of participants appear in the keys after 3 actions if I added only 1 -Michael Ford?

The .asc file has many signatures in it, including Michael Ford's signature.  The GPG verification process checks all the signatures in the .asc file, regardless of how many (or few) developer keys you've imported into your keyring.  

2 question - the shazam -256 SHA256SUMS.asc command what does it have to do with checking the "bitcoincore" installation file? I can 't get the gist of it .
the output of the command: a valid user signature gives additional confidence that the installation file "bitcoincore.dmg" is really good?

I'm sorry if I misunderstand you, there might be some confusion due to a language barrier.  You don't need the sha256 hash of the SHA256SUMS file.  Use GPG to verify the SHA256SUMS file with the signature file, which is named SHA256SUMS.asc.  Once the SHA256SUMS file has been verified with GPG then you know the sha256 hashes within the file are authentic.  Now you can check the sha256 hash of the bitcoincore.dmg file, and it should match the corresponding hash you find in the SHA256SUMS file.

3 question -checking the sha256 installation file is not enough to make sure that the file is good?

No.  That only provides half of the verification to ensure the file is good.

[HCP]

3 question -checking the sha256 installation file is not enough to make sure that the file is good?

No.  That only provides half of the verification to ensure the file is good.

Just to expand on this a little... checking the sha256 of the install file against what is shown in the sha256sums.asc is only "good" if you've confirmed that the sha256sums.asc has been successfully "signed".

Otherwise, someone could simply create a "fake" sha256sums.asc  that includes the sha256sum of their "fake" installer listed... by checking the digital signature of the sha256sums.asc file (against the signatures of trusted developers), you know that the file and the info in it isn't fake, and therefore all the sha256sums listed inside are valid.

[Muromskiy]

Hello, friends!  I can put pictures on the site.
Let's start over!
enter the command : shasum -a 256 --check SHA256SUMS



enter the command : gpg --verify SHA256SUMS.asc

[

enter the command : shasum -a 256  bitcoin-23.0-x86_64-apple-darwin.dmg





-----
Friends!  have all the checks been successful ? Everything is fine?
Can I start installing bitcoin core ?

[NotATether]

Friends!  have all the checks been successful ? Everything is fine?
Can I start installing bitcoin core ?

Yes, you have confirmed that the Bitcoin Core Mac binaires you have downloaded are legitimate, from all of the developers' GPG keys.