public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Charles Hill <chill@degreesofzero.com>
To: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] bitcoin.org missing bitcoin core version 22.0
Date: Wed, 20 Oct 2021 20:43:27 +0100	[thread overview]
Message-ID: <7c2d608c-bd59-b04e-a9a5-a55098782700@degreesofzero.com> (raw)
In-Reply-To: <20211020192054.GA117785@jauntyelephant.191.37.198.vultr.com>

Hello, Owen,

The GPG signature verification has changed for bitcoin core version 22 
and later. There were two main changes:

1) The sha256 checksums are now in a separate file from the GPG 
signatures. So download a new file named "SHA256SUMS" (contains the 
checksums) and also the "SHA256SUMS.asc" which contains the signatures.

2) The signature file now contains multiple signatures. These signatures 
are generated by multiple "builders" who have provided their own public 
keys to verify against. Not all builders will provide a signature for 
each release.

You can find more information at bitcoincore.org/en/download/ [1] under 
the "Linux verification instructions" section - click to expand.

Instructions about where to find and how to import the full list of 
"builder" public keys can be found in the bitcoin core github repo [2].

 > I also notice that, as of 22.0, Wladimir is no longer signing the 
releases, and I have no trust in my gpg network of the people who seem 
to have replaced him.

The list of "builder" public keys includes many long-time bitcoin core 
contributors as well as Wladimir's. Caution is always warranted but 
please do not spread unnecessary FUD.

- chill

[1] https://bitcoincore.org/en/download/
[2] https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys


On 10/20/21 8:20 PM, Owen Gunden via bitcoin-dev wrote:
> On Wed, Oct 20, 2021 at 04:47:17PM +0200, Prayank wrote:
>>> It seems confusing to have two sites that seemingly both represent
>>> bitcoin core.
>> There is only one website which represents Bitcoin Core full node
>> implementation. You can download Bitcoin Core from
>> https://bitcoincore.org
> I also notice that, as of 22.0, Wladimir is no longer signing the
> releases, and I have no trust in my gpg network of the people who seem
> to have replaced him.
>
> Given the level of security at stake here, my eyebrows are raised at
> this combination of items changing (new website + new gpg signers at the
> same time).
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


  parent reply	other threads:[~2021-10-20 19:43 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-20 14:47 [bitcoin-dev] bitcoin.org missing bitcoin core version 22.0 Prayank
2021-10-20 19:20 ` Owen Gunden
2021-10-20 19:37   ` Pieter Wuille
2021-10-20 19:49     ` Owen Gunden
2021-10-20 19:43   ` Charles Hill [this message]
2021-10-20 20:18   ` Kate Salazar
2021-11-05  8:17     ` Prayank
2021-11-05 10:52       ` damian
2021-11-05 14:45       ` yanmaani
2021-11-08  3:02         ` ZmnSCPxj
2021-11-09 12:49         ` Prayank
  -- strict thread matches above, loose matches on Subject: below --
2021-10-20 21:50 Andrew Chow
2021-10-20 12:54 Owen Gunden

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7c2d608c-bd59-b04e-a9a5-a55098782700@degreesofzero.com \
    --to=chill@degreesofzero.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox