Downloads: add binary verification instructions

harding · harding · commit 0387192bffed · 2018-05-19T08:45:38.000-04:00
- Add releases signing key fingerprint
- Add instructions for Windows, Mac, Linux
    - Win/Mac untested
- Add disclaimer for Ubuntu PPA
- Add notes about gitian, with link to repository
- Make all text strings translatable, but prevent URLs, file names, and
  key fingerprints from being translated to make translation review
  easier

Includes improvements suggested by Kalle Rosenbaum
diff --git a/_includes/templates/download.html b/_includes/templates/download.html
@@ -1,13 +1,17 @@
 {% capture /dev/null %}<!-- suppress render of this part -->
 <!-- Copyright 2013 - 2016 The Bitcoin.org Project.
-     Copyright 2017 The BitcoinCore.org Project
+     Copyright 2017 - 2018 The BitcoinCore.org Project
      This file is licensed under the MIT License (MIT) available on
      http://opensource.org/licenses/MIT. -->
 {% assign VERSION_SORTED_RELEASES = site.releases | sort: 'release' | reverse %}
 {% capture CURRENT_RELEASE %}{% for subver in VERSION_SORTED_RELEASES[0].release %}{{subver}}{% unless forloop.last %}.{% endunless %}{% endfor %}{% endcapture %}
 {% assign magnet = VERSION_SORTED_RELEASES[0].optional_magnetlink %}
 {% capture PATH_PREFIX %}/bin/bitcoin-core-{{CURRENT_RELEASE}}{% endcapture %}
 {% capture FILE_PREFIX %}bitcoin-{{CURRENT_RELEASE}}{% endcapture %}
+{% assign SIGNING_KEY_FINGERPRINT = "01EA5486DE18A882D4C2684590C8019E36C2E964" %}
+{% capture SIGNING_KEY_FINGERPRINT_EXPLODED %}{% include fingerprint-split.html hex=SIGNING_KEY_FINGERPRINT %}{% endcapture %}
+{% assign GPG_DOWNLOAD_URL = "https://www.gnupg.org/download/index.en.html#binary" %}
+{% assign GITIAN_REPOSITORY_URL = "https://github.com/bitcoin-core/gitian.sigs" %}
 {% endcapture %}
 <link rel="alternate" type="application/rss+xml" href="/en/releasesrss.xml" title="Bitcoin Core releases">
 <div class="download">
@@ -74,14 +78,169 @@ <h2>{{ page.latestversion }} {{CURRENT_RELEASE}} <a type="application/rss+xml" h
     </p>
     <p class="downloadkeys">
       <span>{{ page.releasekeys }}</span>
-      <a href="/keys/laanwj-releases.asc">v0.11.0+</a>
+      <a href="/keys/laanwj-releases.asc">v0.11.0+</a> <code title="{{page.pgp_key_fingerprint}}">{{SIGNING_KEY_FINGERPRINT}}</code>
     </p>
   </div>
 
-  <h2><img src="/assets/images/icons/note.svg" class="warningicon" alt="note">{{ page.patient }}</h2>
-  <p>{{ page.notesync | replace: '$(DATADIR_SIZE)', site.data.stats.datadir_gb | replace: '$(PRUNED_SIZE)', site.data.stats.pruned_gb | replace: '$(MONTHLY_RANGE_GB)', site.data.stats.monthly_storage_increase_range_gb }} {{ page.full_node_guide }}</p>
-  <p>{{ page.notelicense }}</p>
 </div>
+
+  <h2 style="text-align: center">{{ page.patient }}</h2>
+  <p>{{ page.notesync | replace: '$(DATADIR_SIZE)', site.data.stats.datadir_gb | replace: '$(PRUNED_SIZE)', site.data.stats.pruned_gb | replace: '$(MONTHLY_RANGE_GB)', site.data.stats.monthly_storage_increase_range_gb }} {{ page.full_node_guide }}</p>
+
+{% if page.version > 1 %}
+  <h2 style="text-align: center">{{page.verify_download}}</h2>
+  <p>{{page.verification_recommended}}</p>
+  <details>
+  {% assign GPG = "C:\Program Files\Gnu\GnuPg\gpg.exe" %}
+    <summary><strong>{{page.windows_instructions}}</strong></summary>
+    <ol>
+      <li><p>{{page.download_release}}</p></li>
+
+      <li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
+
+      <li><p>{{page.cd_to_downloads}}</p>
+
+        <pre class="highlight"><code>{{page.cd_example_windows}}</code></pre>
+
+        </li>
+
+      {% capture windows_example_binary %}{{FILE_PREFIX}}-{{site.data.binaries.win64exe}}{% endcapture %}
+      <li><p>{{page.generate_checksum | replace: "$(FILE)", windows_example_binary}}</p>
+
+        <pre class="highlight"><code>certUtil -hashfile {{windows_example_binary}} SHA256</code></pre></li>
+
+      <li><p>{{page.ensure_checksum_matches}}</p>
+
+        <pre class="highlight"><code>type SHA256SUMS.asc</code></pre></li>
+
+      <li><p>{{page.install_gpg}} <a
+      href="{{GPG_DOWNLOAD_URL}}">{{page.gpg_download_page}}</a></p></li>
+
+      <li><p>{{page.obtain_release_key}}</p>
+
+        <pre class="highlight"><code>{{GPG}} --recv-keys {{SIGNING_KEY_FINGERPRINT}}</code></pre>
+
+        <p>{{page.release_key_obtained}}</p></li>
+
+      <li>{{page.verify_checksums_file}}
+
+        <pre class="highlight"><code>{{GPG}} --verify SHA256SUMS.asc</code></pre></li>
+
+      <li><p>{{page.check_gpg_output}}</p>
+        <ol><li><p>{{page.line_starts_with}} <code>gpg: {{page.localized_gpg_good_sig}}</code></p></li>
+          <li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
+        </ol>
+
+        <p>{{page.gpg_trust_warning}}</p></li>
+
+    </ol>
+  </details>
+  <details>
+    {% assign GPG = "gpg" %}
+    <summary><strong>{{page.macos_instructions}}</strong></summary>
+    <ol>
+      <li><p>{{page.download_release}}</p></li>
+
+      <li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
+
+      <li><p>{{page.cd_to_downloads}}</p>
+
+        <pre class="highlight"><code>{{page.cd_example_linux}}</code></pre>
+
+        </li>
+
+      <li><p>{{page.verify_download_checksum}}</p>
+
+        <pre class="highlight"><code>shasum -a 256 --check SHA256SUMS.asc</code></pre>
+
+        <p>{{page.checksum_warning_and_ok | replace, "$(SHASUMS_OK)", page.localized_checksum_ok}} <code>{{FILE_PREFIX}}{{site.data.binaries.macdmg}}: {{page.localized_checksum_ok}}</code></p></li>
+
+      <li><p>{{page.install_gpg}} <a
+      href="{{GPG_DOWNLOAD_URL}}">{{page.gpg_download_page}}</a></p></li>
+
+      <li><p>{{page.obtain_release_key}}</p>
+
+        <pre class="highlight"><code>gpg --recv-keys {{SIGNING_KEY_FINGERPRINT}}</code></pre>
+
+        <p>{{page.release_key_obtained}}</p></li>
+
+      <li>{{page.verify_checksums_file}}
+
+        <pre class="highlight"><code>gpg --verify SHA256SUMS.asc</code></pre></li>
+
+      <li><p>{{page.check_gpg_output}}</p>
+        <ol><li><p>{{page.line_starts_with}} <code>gpg: {{page.localized_gpg_good_sig}}</code></p></li>
+          <li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
+        </ol>
+
+        <p>{{page.gpg_trust_warning}}</p></li>
+    </ol>
+  </details>
+
+  <details>
+    <summary><strong>{{page.linux_instructions}}</strong></summary>
+    <ol>
+      <li><p>{{page.download_release}}</p></li>
+
+      <li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
+
+      <li><p>{{page.cd_to_downloads}}</p>
+
+        <pre class="highlight"><code>{{page.cd_example_linux}}</code></pre>
+
+        </li>
+
+      <li><p>{{page.verify_download_checksum}}</p>
+
+        <pre class="highlight"><code>sha256sum --ignore-missing --check SHA256SUMS.asc</code></pre>
+
+        <p>{{page.checksum_warning_and_ok | replace, "$(SHASUMS_OK)", page.localized_checksum_ok}} <code>{{FILE_PREFIX}}-{{site.data.binaries.lin64}}: {{page.localized_checksum_ok}}</code></p></li>
+
+      <li><p>{{page.obtain_release_key}}</p>
+
+        <pre class="highlight"><code>gpg --recv-keys {{SIGNING_KEY_FINGERPRINT}}</code></pre>
+
+        <p>{{page.release_key_obtained}}</p></li>
+
+      <li>{{page.verify_checksums_file}}
+
+        <pre class="highlight"><code>gpg --verify SHA256SUMS.asc</code></pre></li>
+
+      <li><p>{{page.check_gpg_output}}</p>
+        <ol><li><p>{{page.line_starts_with}} <code>gpg: {{page.localized_gpg_good_sig}}</code></p></li>
+          <li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
+        </ol>
+
+        <p>{{page.gpg_trust_warning}}</p></li>
+
+    </ol>
+  </details>
+
+  <details>
+    <summary><strong>{{page.ubuntu_ppa_instructions}}</strong></summary>
+
+    <p>{{page.ubuntu_notice}}</p>
+
+    <blockquote>{{page.ubuntu_ppa_quote}}</blockquote>
+  </details>
+
+  <h2 style="text-align: center">{{page.build_reproduction}}</h2>
+
+  <p>{{page.additional_steps}}</p>
+
+  <ul>
+    <li><p><em>{{page.reproducible_builds}}</em> {{page.build_identical_binaries}}</p></li>
+
+    <li><p><em>{{page.verified_reproduction}}</em> {{page.independently_reproducing}}</p></li>
+  </ul>
+
+  <p>{{page.verifying_and_reproducing}} <a href="{{GITIAN_REPOSITORY_URL}}">{{page.gitian_repository}}</a>.</p>
+{% endif %}{% comment %}END VERSION > 1 CONTENT{% endcomment %}
+
+<hr>
+
+<p>{{ page.notelicense }}</p>
+
 <script type="text/javascript">
 var os = 'windows32';
 if (navigator.userAgent.indexOf('Mac') != -1) var os = 'mac'
diff --git a/_posts/en/pages/2017-01-01-download.md b/_posts/en/pages/2017-01-01-download.md
@@ -5,7 +5,7 @@ type: pages
 layout: page
 lang: en
 share: false
-version: 1
+version: 2
 
 ## These strings need to be localized.  In the listing below, the
 ## comment above each entry contains the English text.  The key before the
@@ -54,6 +54,91 @@ patient: "Check your bandwidth and space"
 # releasekeys: "Bitcoin Core Release Signing Keys"
 releasekeys: "Bitcoin Core Release Signing Keys"
 
+pgp_key_fingerprint: "PGP key fingerprint"
+verify_download: "Verify your download"
+verification_recommended: "Download verification is optional but highly recommended.  Click one of the lines below to view verification instructions for that platform."
+windows_instructions: "Windows verification instructions"
+macos_instructions: "MacOS verification instructions"
+linux_instructions: "Linux verification instructions (not for Ubuntu PPA)"
+ubuntu_ppa_instructions: "Ubuntu PPA verification instructions"
+download_release: "Click the link in the list above to download the release for your platform and wait for the file to finish downloading."
+download_checksums: "Download the list of cryptographic checksums:"
+cd_to_downloads: "Open a terminal (command line prompt) and Change Directory (cd) to the folder you use for downloads.  For example:"
+cd_example_linux: "cd Downloads/"
+cd_example_windows: >
+  cd %UserProfile%\Downloads
+
+verify_download_checksum: "Verify that the checksum of the release file is listed in the checksums file using the following command:"
+checksum_warning_and_ok: 'In the output produced by the above command, you can safely ignore any warnings and failures, but you must ensure the output lists "$(SHASUMS_OK)" after the name of the release file you downloaded.  For example:'
+obtain_release_key: "Obtain a copy of the release signing key by running the following command:"
+release_key_obtained: "The output of the command above should say that one key was imported, updated, has new signatures, or remained unchanged."
+verify_checksums_file: "Verify that the checksums file is PGP signed by the release signing key:"
+check_gpg_output: "Check the output from the above command for the following text:"
+line_starts_with: "A line that starts with:"
+complete_line_saying: "A complete line saying:"
+gpg_trust_warning: >
+  The output from the verify command may contain a warning that
+  the "key is not certified with a trusted signature." This means that
+  to fully verify your download, you need to ask people you trust to
+  confirm that the key fingerprint printed above belongs to the Bitcoin
+  Core Project's release signing key.
+
+localized_checksum_ok: "OK"
+localized_gpg_good_sig: "Good signature"
+localized_gpg_primary_fingerprint: "Primary key fingerprint:"
+
+install_gpg: "If you haven't previously installed GNU Privacy Guard (GPG) on your system, install it now.  See the"
+gpg_download_page: "GPG download page"
+
+ensure_checksum_matches: >
+  Ensure that the checksum produced by the command above matches one of
+  the checksums listed in the checksums file you downloaded earlier.  We
+  recommend that you check every character of the two checksums to
+  ensure they match.  You can see the checksums you downloaded by
+  running the following command:
+
+generate_checksum: "Run the following command to generate a checksum of the release file you downloaded.  Replace '$(FILE)' with the name of the file you actually downloaded."
+
+ubuntu_notice: >
+  Ubuntu PPAs are not built using the same reproducible method used for
+  the other Bitcoin Core packages listed on this page, so the Bitcoin
+  Core project does not have the information necessary to help you
+  verify the Bitcoin Core Ubuntu PPA packages.  This situation is also
+  described by the PPA itself:
+
+ubuntu_ppa_quote: >
+  "Note that you should prefer to use the official binaries, where
+  possible, to limit trust in Launchpad/the PPA owner."
+
+build_reproduction: "Additional verification with reproducible builds"
+additional_steps: >
+  Experienced users who don't mind performing additional steps can take
+  advantage of Bitcoin Core's reproducible builds and the signed
+  checksums generated by contributors who perform those builds.
+
+reproducible_builds: "Reproducible builds"
+build_identical_binaries: >
+  allow anyone with a copy of Bitcoin Core's MIT-licensed source code to
+  build identical binaries to those distributed on this website (meaning
+  the binaries will have the same cryptographic checksums as those
+  provided by this website).
+
+verified_reproduction: "Verified reproduction"
+independently_reproducing: >
+  is the result of multiple Bitcoin Core contributors each independently
+  reproducing identical binaries as described above.  These contributors
+  cryptographically sign and publish the checksums of the binaries they
+  generate.
+verifying_and_reproducing: >
+  Verifying that several contributors you trust all signed the same
+  checksums distributed in the release checksums file will provide you
+  with additional assurances over the preceding basic verification
+  instructions.  Alternatively, reproducing a binary for yourself will
+  provide you with the highest level of assurance currently available.
+  For more information, visit the project's repository of
+
+gitian_repository: "trusted build process signatures"
+
 
 ---
 
