Having problems verifying bitcoin download with GPG4Win

[jimbobway]

I read this here to get started:  http://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securely

Jeff Garzik signs every release with his GPG key (also here). You can find release announcements (such as this one) on the SourceForge.net Bitcoin development list.

To verify the signature on a release, obtain the key from the link above. Obtain the release announcement from the link above. Obtain the download from any source. Then point GPG at the release annoucement (or the signature block from it, including the BEGIN and END lines). GPG will ask what file you want to verify, pick any of the ones listed in the signature certificate. It will then tell you if the release is identical to the release Jeff Garzik signed.

I downloaded GPG4Win and Kleopatra.  I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')

I download this file "SHA256SUMS.asc" located here: http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.5.3/

I right click "SHA256SUMS.asc", then select "Decrypt and Verify".  I select the bitcoin file "bitcoin-0.5.3.1-win32-setup.exe".

I get this message: "No signatures found."

What am I doing wrong?

[1713576363]

1713576363

[1713576363]

1713576363

[1713576363]

1713576363

[1713576363]

1713576363

[pc]

This whole thing is definitely unintuitive. I'm not familiar with those GPG clients, but I may be able to help point you in the right direction. The SHA256SUMS.asc file isn't a detached signature, it's a plaintext file with a signature included, much like might be on an email. Does your software offer a plain "verify" feature?

Once you've verified that SHA256SUMS.asc is genuinely signed, then you can look in it to see that bitcoin-0.5.3.1-win32-setup.exe has a SHA-256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32. So now, you just need to make sure that your file in fact has that checksum.

I'm on a Mac, and the command I'd use for it here is "openssl dgst -sha256 bitcoin-0.5.3.1-win32-setup.exe". Openssl is cross-platform, but probably isn't installed on Windows by default. I don't know if there's something else likely already installed, or if your GPG software also has a way to find the SHA-256 of a file somewhere in there.

Hope this helps.

[jake262144]

I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')...
What am I doing wrong?

At the very least you need to import gavin's public key as well - the keys you might be interested in are neatly listed on bitcoin.org

[jimbobway]

I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')...
What am I doing wrong?

At the very least you need to import gavin's public key as well - the keys you might be interested in are neatly listed on bitcoin.org

So I installed all of the GPG .asc certificates on the bitcoin.org homepage (Gavin's and others) into Kleopatra.  I repeated the steps:

Select "Decrypt and Verify".
Select the bitcoin file "bitcoin-0.5.3.1-win32-setup.exe".

I get the same  message: "No signatures found."

I will try downloading and installing OpenSSL and see where it gets me.  Thanks for the advice so far.

[jake262144]

Umm... that's how I do it, only with command line programs:

First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself:

Code:

gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc

When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>") you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:

Code:

6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32  bitcoin-0.5.3.1-win32-setup.exe

What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.

Now let's calculate the checksum of the actual installer:

Code:

sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe

6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32

Done.

HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.

[jimbobway]

Where do you get these command line programs for windows?

Umm... that's how I do it, only with command line programs:

First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself:

Code:

gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc

When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>") you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:

Code:

6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32  bitcoin-0.5.3.1-win32-setup.exe

What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.

Now let's calculate the checksum of the actual installer:

Code:

sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe

6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32

Done.

HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.

[jake262144]

You already installed both of them by installing GPG4Win.
The default installation directory for Gpg4Win is C:\Program Files (x86)\GNU\GnuPG  (on 64-bit systems) or C:\Program Files\GNU\GnuPG  (32-bit systems)

If you cd to the installation directory both gpg.exe and sha25sum.exe will be in scope:

Code:

cd \Program Files (x86)\GNU\GnuPG

The last line is no mistake, you can use the backslash to denote the root directory of the currently chosen partition making the obnoxious c: drive letter redundant.

I recommend that you add c:\Program Files (x86)\GNU\GnuPG to your path so that sha256sum is always in scope.

[jimbobway]

Here's what I did:

C:\>gpg --verify SHA256SUMS.asc
gpg: Signature made 03/16/12 13:01:01 Pacific Daylight Time using RSA key ID 1FC
730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail
.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1


Should I be worried about the warnings?  BTW, I did a sha256sum and it matches the one in the SHA256SUMS.asc file.  It is just the warning above that bugs me.  I also imported gavin's PGP and it imported ok.

I did some googling and found this: http://lists.gnupg.org/pipermail/gnupg-users/2009-March/035981.html

Says I need to do a "web-of-trust by doing some keysigning" of some sort.

Edit: Did some more googling.  Says, "The best method is to meet the developer in person and exchange key fingerprints."  Gavin, you want to meet up?  Ideas anybody?

[jake262144]

Those warnings basically say
"Hey dude, Gavin says this file here is his public key but no trusted Certificate Authority is backing up the validity of this claim.
Tell Gavin to pony up some big bucks and make Verisign, Thawte, Comodo, Equifax, Hongkong Post, TurkTrust⁽¹⁾, or DigiNotar⁽²⁾ happy."


If a hacker were able to breach bitcoin.org's server and replace Gavin's public key and they were then able to breach the SourceForge repositories and replace the files with malicious ones, anyone validating the bad executables with the bad public key could be cheated into thinking that everything is fine.
In short, if a hacker gets full control over everything, we're screwed - film at 11.

For the record, the fingerprint of Gavin's public key is indeed 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1



Notes
(1) You may not have known but your system trusts hundreds of entities. From its POV Hongkong Post is just as trustworthy as Verisign. Better believe someone in Hongkong did their due dilligence when signing those SSL certificates.
(2) I put DigiNotar in as a joke; this CA fell victim to a hacker attack last year. As a result, they went keel up and sank.
     The SSL certificates the hackers were able to generate were inherently trusted by any machine in the world. So much for trusted CAs.
     You better believe TurkTrust and Hongkong Post really know what they are doing
     There have been several initiatives to mitigate the flaws in the current trusted CA model.

[cypherdoc]

Umm... that's how I do it, only with command line programs:

First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself:

Code:

gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc

When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>") you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:

Code:

6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32  bitcoin-0.5.3.1-win32-setup.exe

What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.

Now let's calculate the checksum of the actual installer:

Code:

sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe

6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32

Done.

HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.

jake, do i need to install HashCalc to check the hash of the bitcoin-0.7.0-win32-setup.exe installer on my Win 7 machine?  i noticed that the link only says its good up to Win XP? 

[flatfly]

There are many other tools available, one example is SFVNinja

[cypherdoc]

There are many other tools available, one example is SFVNinja

thanks.  actually HashCalc worked just fine.