How to Verify Bitcoin Core - a guide for non tech-savvy people?

[Maxi-Learning]

I am new to BTC, and am also rather not particularly tech-savvy. However I managed to understand (and test with some minimum amount of BTC) hardware wallets, seed phrases and all. Simply because I could always find online a “explain to me like I am 8 years old” guide to all that stuff.

Before buying any substantial amount of BTC I would like to increase my privacy. So I decided to run my own node. I use Windows.

Verifying the bitcoin core file is where I got completely stuck. Most of us (regular people) have never run CMD on Windows or done similar things! So for instance this guide here is obviously made by coders for quite tech-savvy people:
https://bitcoin.org/en/full-node#windows-10

Take for instance this part:

“You should verify these keys belong to their owners using the web of trust or other trustworthy means. Then use PGP to verify the signature on the release signatures file. Finally, use PGP or another utility to compute the SHA256 hash of the archive you downloaded, and ensure the computed hash matches the hash listed in the verified release signatures file.”

That’s great but …HOW?

I found other guides online that even elaborate a bit on the verification part. But they always assume I know how to do a lot of stuff. I even tried asking GROK and Chat GPT for help regarding a specific step, but always got stuck somewhere.

Is there any step by step (meaning: click here, open this…)  guide to verify the downloaded bitcoin core file explained “like I am 8 years old”?

[lloll]

I like https://bitcoincore.org/en/download/ instructions better.

Just take your time & try to enjoy the verification process. You may end up using it a lot  .

YouTube has a lot of videos covering this subject but most people are running mac or Linux.

Good luck!

[DireWolfM14]

Verification process of the Bitcoin Core binary is a multi-step process.

1. Download the Bitcoin Core binary for Windows, the SHA256SUMS hashes file, and the SHA256SUMS.asc signature file.

2. Open a terminal in the directory where you downloaded the files, you can do this by browsing to the directory in Windows Explorer and right clicking in the white space and select "open in Terminal".

3. Hash the binary file by typing the following command in the terminal:

Code:

certutil -hashfile bitcoin-28.1-win64-setup.exe sha256

You should get an output like this:

SHA256 hash of bitcoin-28.1-win64-setup.exe:
e48722e54b0ac61c296371aa940d61ff8fbc0a5a3f14fd41b3218179e73fff84
CertUtil: -hashfile command completed successfully.

4. Open the SHA256SUMS file by right clicking on it and select "Open with" then select Notepad.

5. Copy the sha hash string from the terminal, and using Notepad's search function search for the hash string.  You should get a match indicating your binary matches the hash string:


6. Now comes the fun part, you get to learn how to use GPG to check the SHA256SUMS file, but you'll need to install GPG first.  Here's a guide I put together for Electrum, but the principal is the same for any signed file: https://bitcointalk.org/index.php?topic=5240594.0
I use terminal commands to verify GPS signatures:

Code:

gpg --verify SHA256SUMS.asc

[Maxi-Learning]

Thank you so much!

I finally found the time to sit down to this during the weekend, and it turned out points 1-5 were super easly (thanks to your guide)

Now, I will try to do the "fun part" - point 6


One more general question:

Suppose I somehow fail to properly verify the bticoin core file, and somehow manage to download a tainted version of bitcoin core.

IF I interact with bitcoin core only through my hardware wallet,

then

I understand that the worst that may happen is that I will be somehow "mislead" by the fake btc core, and if I send my coins they may end up in some other address than the one shown on btc core.

However, when interacting through a hardware wallet my coins are still safe as long as I don't move them. In other words, the malicous third party running the tainted btc core cannot access my coins, it can only mislead me, and cause me to send my coins to their address.

IF the above is correct, then I understand that the best precaution would be always sending small batch of btc first. Then open some third party trusted btc explorer (multiple at best) and verify without using btc core that the coins actually went to the adress they were suppose to go?


So, with the "fun part" (use GPG to check the SHA256SUMS file), I got stuck here:

To use the Search feature, copy ThomasV's fingerprint from a trusted source and enter it into the provided search field.

ThomasV's fingerprint is used when checking the Electrum file, but how do I get the fingerprint for BTC core?

I asked GROK for help

GROK told me to find a list of these keys in the Bitcoin Core GitHub repository under contrib/builder-keys/keys.txt
I managed to get to the contrib folder as instructed by GROK. But inside this folder there is no "builder-keys" folder as GROK claims

[ABCbits]

--snip--
but how do I get the fingerprint for BTC core?

I asked GROK for help

GROK told me to find a list of these keys in the Bitcoin Core GitHub repository under contrib/builder-keys/keys.txt
I managed to get to the contrib folder as instructed by GROK. But inside this folder there is no "builder-keys" folder as GROK claims

GROK showed outdated information, the keys.txt file only exist until version 24.2[1]. These days, you can find it on different GitHub repository[2].

[1] https://github.com/bitcoin/bitcoin/blob/v24.2/contrib/builder-keys/keys.txt
[2] https://github.com/bitcoin-core/guix.sigs

[DireWolfM14]

IF the above is correct, then I understand that the best precaution would be always sending small batch of btc first. Then open some third party trusted btc explorer (multiple at best) and verify without using btc core that the coins actually went to the adress they were suppose to go?

It might sound like a chore, but you should always verify the recipient's address the old fashioned way; by reading it.  Even if your wallet software is legit, and your hardware wallet is secure, you could have inadvertently installed some clipboard malware which could alter addresses.

I asked GROK for help

Stop that.

I don't have all the signatories keys loaded, just the few that I know.

Ava (formerly Andrew) Chow is member here on the forum, and she's one of the signatories.  Stephan Oeste is another, and is one of the developers of Electrum and Bisq, so I'm familiar with his work too.  I don't think he's active here on the forum, however.  There are a couple of others that I have keys for, but as long as you have at least a couple of the signatories' keys in your GPG keychain, you'll be good to verify the hash file.

ABCbit posted the link to their fingerprints, you can use the following code to import them into your keychain.

Code:

gpg --keyserver hkps://keys.openpgp.org --recv-keys <the key fingerprint>