📅 Original date posted:2021-10-20
📝 Original message:Hello, Owen,
The GPG signature verification has changed for bitcoin core version 22
and later. There were two main changes:
1) The sha256 checksums are now in a separate file from the GPG
signatures. So download a new file named "SHA256SUMS" (contains the
checksums) and also the "SHA256SUMS.asc" which contains the signatures.
2) The signature file now contains multiple signatures. These signatures
are generated by multiple "builders" who have provided their own public
keys to verify against. Not all builders will provide a signature for
each release.
You can find more information at bitcoincore.org/en/download/ [1] under
the "Linux verification instructions" section - click to expand.
Instructions about where to find and how to import the full list of
"builder" public keys can be found in the bitcoin core github repo [2].
> I also notice that, as of 22.0, Wladimir is no longer signing the
releases, and I have no trust in my gpg network of the people who seem
to have replaced him.
The list of "builder" public keys includes many long-time bitcoin core
contributors as well as Wladimir's. Caution is always warranted but
please do not spread unnecessary FUD.
- chill
[1] https://bitcoincore.org/en/download/
[2] https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys
On 10/20/21 8:20 PM, Owen Gunden via bitcoin-dev wrote:
> On Wed, Oct 20, 2021 at 04:47:17PM +0200, Prayank wrote:
>>> It seems confusing to have two sites that seemingly both represent
>>> bitcoin core.
>> There is only one website which represents Bitcoin Core full node
>> implementation. You can download Bitcoin Core from
>> https://bitcoincore.org
> I also notice that, as of 22.0, Wladimir is no longer signing the
> releases, and I have no trust in my gpg network of the people who seem
> to have replaced him.
>
> Given the level of security at stake here, my eyebrows are raised at
> this combination of items changing (new website + new gpg signers at the
> same time).
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Charles Hill [ARCHIVE] /
npub1h7…u02q4
2023-06-07 23:00:16
in reply to nevent1q…kh8x
Author Public Key
npub1h7ewsachqwlnaue46l350acuwpp2pw5l3gqvwp6xsrrnh7eed7aqyu02q4Published at
2023-06-07 23:00:16Event JSON
{
"id": "2c59cd789aae8d82c1a96a33b04fb191bfe9e663a08ba4144d5dbcb3ba72c542",
"pubkey": "bfb2e8771703bf3ef335d7e347f71c7042a0ba9f8a00c7074680c73bfb396fba",
"created_at": 1686178816,
"kind": 1,
"tags": [
[
"e",
"a514e5c68bef61bec41f615418aa8b3401773f97dcaf1a33b9d69757609c0a79",
"",
"root"
],
[
"e",
"76c7be682d829ce35ed33b8651cafb5fe26b7b98177ce4999bac70e56c90c8ff",
"",
"reply"
],
[
"p",
"8be4d6a7fffe0afa37fb93c368165a4b57f6973c7841f2a367d34cb879d71b0c"
]
],
"content": "📅 Original date posted:2021-10-20\n📝 Original message:Hello, Owen,\n\nThe GPG signature verification has changed for bitcoin core version 22 \nand later. There were two main changes:\n\n1) The sha256 checksums are now in a separate file from the GPG \nsignatures. So download a new file named \"SHA256SUMS\" (contains the \nchecksums) and also the \"SHA256SUMS.asc\" which contains the signatures.\n\n2) The signature file now contains multiple signatures. These signatures \nare generated by multiple \"builders\" who have provided their own public \nkeys to verify against. Not all builders will provide a signature for \neach release.\n\nYou can find more information at bitcoincore.org/en/download/ [1] under \nthe \"Linux verification instructions\" section - click to expand.\n\nInstructions about where to find and how to import the full list of \n\"builder\" public keys can be found in the bitcoin core github repo [2].\n\n \u003e I also notice that, as of 22.0, Wladimir is no longer signing the \nreleases, and I have no trust in my gpg network of the people who seem \nto have replaced him.\n\nThe list of \"builder\" public keys includes many long-time bitcoin core \ncontributors as well as Wladimir's. Caution is always warranted but \nplease do not spread unnecessary FUD.\n\n- chill\n\n[1] https://bitcoincore.org/en/download/\n[2] https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys\n\n\nOn 10/20/21 8:20 PM, Owen Gunden via bitcoin-dev wrote:\n\u003e On Wed, Oct 20, 2021 at 04:47:17PM +0200, Prayank wrote:\n\u003e\u003e\u003e It seems confusing to have two sites that seemingly both represent\n\u003e\u003e\u003e bitcoin core.\n\u003e\u003e There is only one website which represents Bitcoin Core full node\n\u003e\u003e implementation. You can download Bitcoin Core from\n\u003e\u003e https://bitcoincore.org\n\u003e I also notice that, as of 22.0, Wladimir is no longer signing the\n\u003e releases, and I have no trust in my gpg network of the people who seem\n\u003e to have replaced him.\n\u003e\n\u003e Given the level of security at stake here, my eyebrows are raised at\n\u003e this combination of items changing (new website + new gpg signers at the\n\u003e same time).\n\u003e\n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev",
"sig": "6cc520b54d8b9aaa3668331177fd9ab553f398093267e937f09a75c6553ea014b50960d82416c04450b1ffca584a6d048e70422de3007110601d2921b9aeb6a9"
}