Where Do I Find the GPG Keys To Verify My Bitcoin Core Download?

[HandcraftedBreads]

I'm trying to verify my bitcoin core 24.0.1, but the verification instructed by bitcoincore.org for MacOS implies to search for GPG Keys in a github bitcoin repository that no longer exist. I'm a novice with this type of things, so I am not really able to search into the bitcoin github for myself. Can anyone help me find GPG Keys to verify?


ADDITIONAL:

I've asked ChatGPT for some help in the process, and it mentioned me of a way to verify the bitcoin core software, which I have performed, and resulted in a supposedly non-official bitcoin core, altough I downloaded it from https://bitcoincore.org.

Here is the process mentioned to me by the AI:

In the Bitcoin project on GitHub, the developer keys are not stored in a specific folder. Instead, they are included in the code commits and signed with the developers' GPG keys.

To verify the authenticity of your Bitcoin Core download, you can follow the instructions on the Bitcoin.org website:

    Download the source code from the Bitcoin GitHub repository: https://github.com/bitcoin/bitcoin

    Check the code out from the repository:

git clone https://github.com/bitcoin/bitcoin.git

    Navigate to the Bitcoin source code directory:

cd bitcoin

    Check the Git tags to see which version of the software you have downloaded:

git tag

    Check the signature of the tag:

git tag -v [tagname]

    The output of the command should indicate whether the signature is valid and made by one of the project's trusted developers.

__


The first tag after the "git tag" command resulted in "noversion". ChatGPT suggests to type the command "git describe", of which output resulted in "v21.99-guixtest1-7105-g39363a4b9". ChatGPT suggests the downloaded software is not an official release. It then suggests to try checking the hashes, which I suppose is the standard verification, instructed by bitcoincore.org.

Does this have any relevance?

[1714930566]

1714930566

[1714930566]

1714930566

[1714930566]

1714930566

[1714930566]

1714930566

[Edwardard]

Use achow101's keys. You can find it in his signature profile.
Signer key:

Code:

152812300785C96444D3334D17565732E08E5E41

[HandcraftedBreads]

I have explored the github, and per intuition, I switched from master branch to the branch called "24.x", that I suppose it refers to the bitcoin core version. Bitcoin core 24.0.1 is the software I installed. In this branch I found the txt file of builder keys --mentioned in the signature verification instructions on the bitcoincore.org download page for MacOS--;

This is the file, in branch 24.x:

bitcoin/contrib/builder-keys/keys.txt

As mentioned in bitcoin/contrib/builder-keys/README.md : The file keys.txt contains fingerprints of the public keys of builders and active developers.



Can anyone confirm this is the right list to use for the verification of Bitcoin Core 24.0.1?

[achow101]

I have explored the github, and per intuition, I switched from master branch to the branch called "24.x", that I suppose it refers to the bitcoin core version. Bitcoin core 24.0.1 is the software I installed. In this branch I found the txt file of builder keys --mentioned in the signature verification instructions on the bitcoincore.org download page for MacOS--;

This is the file, in branch 24.x:

bitcoin/contrib/builder-keys/keys.txt

As mentioned in bitcoin/contrib/builder-keys/README.md : The file keys.txt contains fingerprints of the public keys of builders and active developers.



Can anyone confirm this is the right list to use for the verification of Bitcoin Core 24.0.1?

Yes, that list is suitable for verifying 24.0.1.

For future releases, the keys will be in the guix.sigs repo directly: https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys

[Carlton Banks]

bitcoin/contrib/builder-keys/keys.txt

Yes, that list is suitable for verifying 24.0.1.

For future releases, the keys will be in the guix.sigs repo directly: https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys

is it not a good idea to have the keys... somewhere else too? I'm at a loss as to where to suggest, but it seems like github only is fragile (I guess the onion repo is a failsafe should github have problems?)

maintaining the key list on bitcointalk is one option, the more the better I guess.

[achow101]

is it not a good idea to have the keys... somewhere else too? I'm at a loss as to where to suggest, but it seems like github only is fragile (I guess the onion repo is a failsafe should github have problems?)

maintaining the key list on bitcointalk is one option, the more the better I guess.

The key list is inherently built into the signature file as each signature identifies the key that produced the signature. The main issue is that of key distribution. You can figure out what the necessary keys are by attempting to verify the signatures and then getting the fingerprints of the missing keys from the result in order to retrieve the keys from a keyserver or using WKD. Most people have uploaded their keys to a keyserver. However it's also useful to have all of the keys posted in one place, which is what this part of the git repo does.

In terms of "reliance on github", the previous solution was just as bad.

[Carlton Banks]

right, I would agree that the present situation is a step forward, however small

I'm hoping some kind of Nostr based github will appear, and that the client seeks downloads for the git repo p2p

hoping that whole software ecosystems spontaneously materialize may be a little optimistic, but I'm not very enthusiastic about doing it myself (sounds like javascript to me )