Description of Problem:
I get a message "gpg: BAD signature from *insert dev*" when trying to verify the PGP signatures of for my bitcoin core installation.exe. Is this a clear sign that my software has been tampered with? Or is there another explanation?
You're supposed to verify "
SHA256SUMS" file with "
SHA256SUMS.asc" signature file.
So command should be:
gpg --verify SHA256SUMS.asc SHA256SUMS
Then after verifying that "
SHA256SUMS" file is legit, open it as text, then find and take note of the line:
9485e4b52ed6cebfe474ab4d7d0c1be6d0bb879ba7246a8239326b2230a77eb1 bitcoin-22.0-win64.zipGet your downloaded "
bitcoin-22.0-win64.zip" file's sha256 hash and see if it matched with the sha256 sum in the file.
For example, using this PowerShell tool:
learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?Windows Power Shell command and result (
with matching SHA256 hash):
Get-FileHash Desktop/bitcoin-22.0-win64.zip | Format-List
Algorithm : SHA256
Hash : 9485E4B52ED6CEBFE474AB4D7D0C1BE6D0BB879BA7246A8239326B2230A77EB1
Path : C:\Users\<username>\Desktop\bitcoin-22.0-win64.zip