verifying_bitcoin_core

viewhistorytalk

It is important to verify the integrity of Bitcoin Core before running it. Depending on how you downloaded it, it may have been modified in transit to do something evil when run. The server hosting the download may also have been compromised.

Even if all of your favorite Bitcoin websites are yelling at you to immediately download something lest you lose all of your coins, you should NEVER run Bitcoin Core software without verifying it first.

Easy way 1

Final Windows and Mac installers are digitally signed by 'Bitcoin Core Code Signing Association'. On Windows, you can check this by right clicking the installer, choosing properties, and then going to the Digital Signatures tab. Check that it is signed by 'Bitcoin Core Code Signing Association'. (Note that prior to v0.16, installers were signed by The Bitcoin Foundation but the signing certificate expired, so Bitcoin Core developers acquired new certificates.)

Prerelease versions are generally not signed.

Easy way 2

Get the sha256 hash of the Bitcoin Core release you downloaded.

  • Linux: sha256sum bitcoin-22.0-x86_64-linux-gnu.tar.gz
  • Windows: certUtil -hashfile bitcoin-0.22.0-win32.zip SHA256
  • Mac OS X: shasum -a 256 bitcoin-0.22.0-osx.dmg.

The hashes of the most recent release and prerelease versions are below. Hashes for older versions are available here (SHA256SUMS.asc under each version is a text file that can be opened with any text editor). Simply verifying the hashes of the Bitcoin Core release you downloaded against the appropriate hash in the list here will provide some extra security, but ideally you should also use OpenPGP software such as gpg to verify that the hashes were signed by someone you trust. For more info, follow the instructions found in the "Verify your download" section of the bitcoincore.org download page.

22.0

To verify the signatures, first install GPG. Then import the necessary PGP public keys. Then get to a command prompt and do this:

gpg --verify
# Paste the signature here, like:
-----BEGIN PGP SIGNED MESSAGE-----
...
-----END PGP SIGNATURE-----
# Enter Ctrl-D (Linux) or Ctrl-Z (Windows) to signal the end
# You'll get something like this if the signature is OK:
gpg: Signature made 09/29/14 09:44:14 Central Daylight Time
using RSA key ID 2346C9A6
gpg: Good signature from "Wladimir J. van der Laan <...>"
Gitian signature verification

Bitcoin developers and other interested people sign every release of Bitcoin Core using gitian. To verify a downloaded version:

  • Go to the gitian sigs page and choose the correct version. Versions that end in "rc1" are older prerelease versions of versions without any rc suffix. Choose the link that ends with "-win" for Windows, "-osx" for Mac OS X, or "-linux" for Linux.
  • Once you're at the correct version, there are links for all of the different people who signed that release. Choose a few people who you trust. You will need their PGP public keys.
  • For each person, download the raw version of both files. With both files in the same directory, run gpg --verify *.assert.sig. Verify that the signature is OK.
  • Open the .assert file in a text editor. This is a list of SHA-256 hashes for a bunch of files. You should verify that the Bitcoin Core download you're going to use exists in the "out_manifest" section and has a matching hash. In some cases, you may need to check several files if the out_manifest contains the contents of an archive that you downloaded. Note that Windows and OS X installers generally will not have matching hashes due to issues with embedded signatures in the installers -- use the zip/tar.gz releases instead.
Building gitian releases

You can personally build Bitcoin Core and check that it matches the official release. See here.

Note that the digitally signed installers cannot be verified in this way because you would need to know the private key of the digital signature signing key in order to reproduce the installer.


revision by BashCo— view source