How to verify the authenticity of a download?

Question

On the bitcoin.org website it says:

verify your download using signatures

I have found some vague instructions on how to do this, but was wondering if anyone has written clear and concise step by step instructions?

I am using Linux/Ubuntu.

This is what I have tried so far:

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ ls -l
total 23124
-rw-rw-r-- 1 oshirowanen oshirowanen 23652105 Aug 31 08:57 bitcoin-0.13.0-x86_64-linux-gnu.tar.gz
-rw-rw-r-- 1 oshirowanen oshirowanen     2100 Aug 31 09:41 laanwj-releases.asc

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ gpg --with-fingerprint laanwj-releases.asc 
pub  4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>
      Key fingerprint = 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ gpg --import laanwj-releases.asc 
gpg: /home/oshirowanen/.gnupg/trustdb.gpg: trustdb created
gpg: key 36C2E964: public key "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ gpg --verify laanwj-releases.asc 
gpg: verify signatures failed: unexpected data

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$

UPDATE 1:

Just tried:

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ gpg --verify laanwj-releases.asc bitcoin-0.13.0-x86_64-linux-gnu.tar.gz

gpg: verify signatures failed: unexpected data

UPDATE 2:

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ gpg laanwj-releases.asc bitcoin-0.13.0-x86_64-linux-gnu.tar.gz

usage: gpg [options] [filename]

UPDATE 3:

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ ls -l
total 23124
-rw-rw-r-- 1 oshirowanen oshirowanen 23652105 Aug 31 08:57 bitcoin-0.13.0-x86_64-linux-gnu.tar.gz
-rw-rw-r-- 1 oshirowanen oshirowanen     2100 Aug 31 09:41 laanwj-releases.asc
-rw-rw-r-- 1 oshirowanen oshirowanen     1957 Aug 31 08:50 SHA256SUMS.asc

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ gpg --import laanwj-releases.asc 
gpg: key 36C2E964: "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ gpg --verify SHA256SUMS.asc 
gpg: Signature made Tue 23 Aug 2016 15:23:26 BST using RSA key ID 36C2E964
gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ sha256sum bitcoin-0.13.0-x86_64-linux-gnu.tar.gz 
bcc1e42d61f88621301bbb00512376287f9df4568255f8b98bc10547dced96c8  bitcoin-0.13.0-x86_64-linux-gnu.tar.gz

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$ grep bitcoin-0.13.0-x86_64-linux-gnu.tar.gz SHA256SUMS.asc 
bcc1e42d61f88621301bbb00512376287f9df4568255f8b98bc10547dced96c8  bitcoin-0.13.0-x86_64-linux-gnu.tar.gz

oshirowanen@computer:~/Downloads/bitcoin 0.13.0$

Does this mean all is good? The WARNING is worrying.

Try to remove the --verify part, GnuPG will also notice if it was encrypted, not only signed. — Yorick de Wid, Aug 31 '16 at 09:20
@YorickdeWid, just tried that and it displays `usage: gpg [options] [filename]`. Please see update 2. — oshirowanen, Aug 31 '16 at 09:25

Yorick de Wid · Answer 1 · 2016-08-31T14:36:04.787

1

I just tried it myself, and the problem is you are trying to verify a public key, not a signed document.

As pointed out in the comments, verify the key with a keyserver and/or trusted source. In this case the key comes from the Bitcoin core's website itself.
First import the key:

gpg --inport laanwj-releases.asc
Then download the tarball with the SHA256SUMS.asc file.
Now you can verify the SHA256SUMS.asc with the previous imported key.

gpg --verify SHA256SUMS.asc
When verified successfully, calculate the sha256 over the tarball.

sha256sum bitcoin-0.13.0-x86_64-linux-gnu.tar.gz
It will output the hash, which you can match with the hash in SHA256SUMS.asc

grep bitcoin-0.13.0-x86_64-linux-gnu.tar.gz SHA256SUMS.asc

When they match, you're good.

edited Aug 31 '16 at 14:36

answered Aug 31 '16 at 09:41

Yorick de Wid

3,346
14
22

I'd say step 0 is to verify you got `laanwj-releases.asc` from a trusted source and via trusted means. (For example, I was quite shocked when Ubuntu only allow you to download their key via HTTP....) – billc.cn Aug 31 '16 at 14:13
@billc.cn thx, updated the post – Yorick de Wid Aug 31 '16 at 14:36
@YorickdeWid, please see update 3. – oshirowanen Sep 04 '16 at 14:21
@billc.cn, please see update 3. – oshirowanen Sep 04 '16 at 14:21
I think it is now good if you trust the authenticity of `laanwj-releases.asc`. The warning means the key used to generate the signature [does not have enough trust level](http://serverfault.com/q/569911/88770), but the signature is nontheless good. – billc.cn Sep 05 '16 at 14:26
@billc.cn Yes, GPG always does that when you import a key that hasn't signed your key. In this case there is no need for that, because the laanwj-releases.asc already came over a secure channel. Besides, if the key were to be fake, we would have expected it to be revoked by now. – Yorick de Wid Sep 05 '16 at 14:29
inport -> import – Snger Jul 21 '17 at 06:14

How to verify the authenticity of a download?

1 Answers1