Giters

bitcoin / bitcoin

Bitcoin Core integration/staging tree

Home Page:https://bitcoincore.org/en/download

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Cannot verify the download of Bitcoin Core 22.0

mangekyousharingan opened this issue · comments

commented

Hi,

Trying to verify the download of Bitcoin Core 22.0, however it is failing and it is unclear for me what is going on wrong.

Steps to reproduce:

  1. wget -qO bitcoin.tar.gz https://bitcoincore.org/bin/bitcoin-core-22.0/bitcoin-22.0-x86_64-linux-gnu.tar.gz
  2. wget -qO SHA256SUMS.asc https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS.asc
  3. wget -qO SHA256SUMS https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS
  4. wget -qO keys.txt https://raw.githubusercontent.com/bitcoin/bitcoin/master/contrib/builder-keys/keys.txt
  5. RUN while read fingerprint keyholder_name; do gpg --keyserver hkps://keys.openpgp.org --recv-keys ${fingerprint}; done < /tmp/keys.txt
  6. RUN gpg --verify /tmp/SHA256SUMS.asc /tmp/SHA256SUMS
  7. RUN sha256sum --ignore-missing --check /tmp/SHA256SUMS

Those steps are failing on step 6 with following error:
image

Not sure where the issue is or how I can adjust to make it pass the verification.
Details on https://bitcoincore.org/en/download/ are not up to date I guess.

commented

Basically the command gpg --verify /tmp/SHA256SUMS.asc /tmp/SHA256SUMS is failing on one siganture:

gpg: Signature made Thu Sep  9 20:22:36 2021 UTC
gpg:                using RSA key 9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C
gpg:                issuer "aaron@sipsorcery.com"
gpg: Can't check signature: No public key

As SHA256SUMS.asc contains signatures from many builders is it possible to verify some of them only? 🤔 Or each of them needs to be verified?

not sure where can I get proper pub key for aaron@sipsorcery.com

commented

not sure where can I get proper pub key for aaron@sipsorcery.com

https://github.com/sipsorcery.gpg ?

commented

Step 5 should have downloaded aaron@sipsorcery.com's key. Not sure why it didn't.
will8clark is also failing (no key), but isn't listed in keys.txt (this seems like more of a problem).

commented

I believe the following is more related to the keyserver than the signing of bitcoin core 22, but I'm reporting it here in case there are keys that are expired and should be updated. There is another issue listed below but I will make a new issue for it.

gpg provides the following output for EVERY key in keys.txt:
On Windows Subsystem for Linux:
gpg: keyserver receive failed: General error
On WIndows command prompt:
gpg: keyserver receive failed: Certificate expired

This includes Wladimir's key (fingerprint 71A3B16735405025D447E8F274810B012346C9A6), which I have, and which is NOT expired. It's nice that we have a large list of signers so that we can choose one we trust, but I see that there are only 13 signatures in the signature file, and there is no indication of which 13 signers have signed it.

commented

looks like all keys are only self-signed, no other project or high-reputation signers

$ gpg --verify SHA256SUMS.asc 2>&1 | grep "using" | tr -s ' ' | cut -d ' ' -f5 | parallel --keep-order --tag gpg --check-signatures 2>&1 | less -inRF

https://wiki.debian.org/Keysigning
https://en.wikipedia.org/wiki/Key_signing_party

commented

refreshing my keyring:

$ gpg --verify SHA256SUMS.asc 2>&1 | grep "using RSA key" | tr -s ' ' | cut -d ' ' -f5 | xargs gpg --keyserver hkps://k
eyserver.ubuntu.com --recv-keys 
gpg: key 099BAD163C70FBFA: "Will Clark <will8clark@gmail.com>" not changed
gpg: key 0A41BDC3F4FAFF1C: "Aaron Clauson (sipsorcery) <aaron@sipsorcery.com>" not changed
gpg: key 74810B012346C9A6: "Wladimir J. van der Laan <laanwj@visucore.com>" not changed
gpg: key 796C4109063D4EAF: public key "Jon Atack <jon@atack.com>" imported
gpg: key 410108112E7EA81F: "Hennadii Stepanov (GitHub key) <32963518+hebasto@users.noreply.github.com>" not changed
gpg: key 8E4256593F177720: "Oliver Gugger <gugger@gmail.com>" not changed
gpg: key 944D35F9AC3DB76A: 2 duplicate signatures removed
gpg: key 944D35F9AC3DB76A: "Michael Ford (bitcoin-otc) <fanquake@gmail.com>" not changed
gpg: key 2EBB056FD847F8A7: "Stephan Oeste (it) <it@oeste.de>" not changed
gpg: key C37B1C1D44C786EE: "Duncan Dean <duncangleeddean@gmail.com>" not changed
gpg: key E13FC145CD3F4304: "Antoine Poinsot <darosior@protonmail.com>" not changed
gpg: key D7CC770B81FD22A8: "Ben Carman <benthecarman@live.com>" not changed
gpg: key 17565732E08E5E41: "Andrew Chow (Official New Key) <achow101@gmail.com>" 2 new user IDs
gpg: key 17565732E08E5E41: "Andrew Chow (Official New Key) <achow101@gmail.com>" 8 new signatures
gpg: key 188CBB2648416AD5: ".0xB10C <0xb10c@gmail.com>" not changed
gpg: Total number processed: 13
gpg:               imported: 1
gpg:              unchanged: 11
gpg:           new user IDs: 2
gpg:         new signatures: 8

keys expiring before May 2022 (potential release date):

pi@raspberrypi:~/dev/git/github.com/bitcoin $ gpg --verify SHA256SUMS.asc 2>&1 | grep "using" | tr -s ' ' | cut -d ' ' -f5 | parallel --keep-order --tag gpg --list-keys | grep -E -e "expire[sd]: " | grep -E -v -e " \[(A|E)\] " | sort -t: -k2 | less -inRF 
9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C        pub   rsa4096 2019-01-13 [SC] [expires: 2022-01-12]
9DEAE0DC7063249FB05474681E4AED62986CD25D        pub   rsa2048 2011-08-24 [SC] [expires: 2022-02-10]
9DEAE0DC7063249FB05474681E4AED62986CD25D        sub   rsa2048 2017-05-17 [S] [expires: 2022-02-10]
590B7292695AFFA5B672CBB2E13FC145CD3F4304        pub   rsa3072 2018-11-17 [SCEA] [expires: 2022-02-25]
0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97D        sub   rsa4096 2021-02-27 [S] [expires: 2022-02-27]
74E2DEF5D77260B98BC19438099BAD163C70FBFA        pub   rsa4096 2018-02-27 [SC] [expires: 2022-02-27]
152812300785C96444D3334D17565732E08E5E41        pub   rsa4096 2015-03-05 [SC] [expires: 2022-03-05]
82921A4B88FD454B7EB8CE3C796C4109063D4EAF        pub   rsa3072 2018-04-20 [SC] [expires: 2022-04-19]

637DB1E23370F84AFF88CCE03152347D07DA627C        sub   rsa4096 2019-10-23 [S] [expires: 2022-10-22]
0AD83877C1F0CD1EE9BD660AD7CC770B81FD22A8        pub   rsa3072 2019-01-05 [SC] [expires: 2023-01-04]
6E01EEC9656903B0542B8F1003DB6322267C373B        sub   rsa4096 2021-04-24 [] [expires: 2023-04-24]
6E01EEC9656903B0542B8F1003DB6322267C373B        sub   rsa4096 2021-04-24 [] [expires: 2023-04-24]
6E01EEC9656903B0542B8F1003DB6322267C373B        sub   rsa4096 2021-04-24 [] [expires: 2023-04-24]
6E01EEC9656903B0542B8F1003DB6322267C373B        sub   rsa4096 2021-05-12 [S] [expires: 2023-05-12]
6E01EEC9656903B0542B8F1003DB6322267C373B        pub   rsa4096 2018-05-02 [SC] [expires: 2034-04-28]
commented

This is still an issue today.

Note that the "canonical" signing key linked from the Download page for "v0.11.0+" (https://bitcoin.org/laanwj-releases.asc) is now expired:

$ gpg --list-key --fingerprint
~/.gnupg/pubring.kbx
--------------------------------
pub   rsa4096 2015-06-24 [SC] [expired: 2022-02-10]
      01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964
uid           [ expired] Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>
commented

v23 also throwing expired errors when I try and build

gpg: Signature made Fri Apr 22 08:56:54 2022 UTC
gpg:                using RSA key 9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C
gpg:                issuer "aaron@sipsorcery.com"
gpg: Good signature from "Aaron Clauson (sipsorcery) <aaron@sipsorcery.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 9D3C C86A 72F8 4943 42EA  5FD1 0A41 BDC3 F4FA FF1C
commented

Up this issue, faced the same with version 23.0

commented

You shouldn't need to check all signatures. Only a handpicked set of selected signatures

commented

As a noob when it comes to PGP signing etc, is it not safe to install Bitcoin core 23 at this time?

commented

As a noob when it comes to PGP signing etc, is it not safe to install Bitcoin core 23 at this time?

The problem is that you don't know what you're installing. This issue is related to the cryptographic proof that what you're installing is what the "signers" who signed it say it is. I recommend that you ask someone you trust who at least claims to understand the danger and how to avoid it for help.

commented

This is the issue tracker for Bitcoin Core, the software, not for the website. Though, I've suggested a fix in bitcoin-core/bitcoincore.org#807 (review)

commented

As a noob when it comes to PGP signing etc, is it not safe to install Bitcoin core 23 at this time?

The problem is that you don't know what you're installing. This issue is related to the cryptographic proof that what you're installing is what the "signers" who signed it say it is. I recommend that you ask someone you trust who at least claims to understand the danger and how to avoid it for help.

I had to manually search and download a .asc file for each key at https://keys.openpgp.org/
Then open the .asc file, is this the same as importinig it through command line?
When going through command line I am getting that the keyservers are not responding

commented

As mentioned, this is primarily an issue with the documentation on https://github.com/bitcoin-core/bitcoincore.org, not a bug in Bitcoin Core, so I'm going to close this issue for now.