Skip to content

Commit 5c57c61

Browse files
committed
Update binary verification instructions for multiple signers
1 parent 2aeaa47 commit 5c57c61

File tree

2 files changed

+74
-29
lines changed

2 files changed

+74
-29
lines changed

_includes/templates/download.html

Lines changed: 35 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@
88
{% assign magnet = VERSION_SORTED_RELEASES[0].optional_magnetlink %}
99
{% capture PATH_PREFIX %}/bin/bitcoin-core-{{CURRENT_RELEASE}}{% endcapture %}
1010
{% capture FILE_PREFIX %}bitcoin-{{CURRENT_RELEASE}}{% endcapture %}
11-
{% assign SIGNING_KEY_FINGERPRINT = "01EA5486DE18A882D4C2684590C8019E36C2E964" %}
12-
{% capture SIGNING_KEY_FINGERPRINT_EXPLODED %}{% include fingerprint-split.html hex=SIGNING_KEY_FINGERPRINT %}{% endcapture %}
11+
{% capture SIGNING_KEY_FINGERPRINT_EXPLODED %}{% include fingerprint-split.html hex=page.example_builder_key %}{% endcapture %}
12+
{% capture SHORT_BUILDER_KEY %}{{page.example_builder_key | slice: 0, 4}} {{ page.example_builder_key | slice: 4, 4 }}...{% endcapture %}
1313
{% assign GPG_DOWNLOAD_URL = "https://www.gnupg.org/download/index.en.html#binary" %}
1414
{% assign GPG_MACOS_DOWNLOAD_URL = "https://gpgtools.org/" %}
1515
{% assign GPG_WINDOWS_DOWNLOAD_URL = "https://gpg4win.org/download.html" %}
@@ -69,7 +69,8 @@ <h2>{{ page.latestversion }} {{CURRENT_RELEASE}} <a type="application/rss+xml" h
6969
</div>
7070
</div>
7171
<p class="downloadmore">
72-
<a href="{{ PATH_PREFIX }}/SHA256SUMS.asc" class="dl">{{ page.downloadsig }}</a><br>
72+
<a href="{{ PATH_PREFIX }}/SHA256SUMS" class="dl">{{ page.download_sha }}</a><br>
73+
<a href="{{ PATH_PREFIX }}/SHA256SUMS.asc" class="dl">{{ page.download_sig }}</a><br>
7374
<a href="{{ PATH_PREFIX }}/{{ FILE_PREFIX }}.torrent" class="dl">{{ page.downloadtorrent }}</a>
7475
{% if magnet %} <a href="{{ magnet | replace: '&', '\&amp;'}}" class="magnetlink" data-proofer-ignore></a>{% endif %}<br>
7576
<a href="{{ PATH_PREFIX }}/{{ FILE_PREFIX}}.tar.gz" class="dl">{{ page.source }}</a><br>
@@ -87,6 +88,10 @@ <h2>{{ page.latestversion }} {{CURRENT_RELEASE}} <a type="application/rss+xml" h
8788
<h2 style="text-align: center">{{ page.patient }}</h2>
8889
<p>{{ page.notesync | replace: '$(DATADIR_SIZE)', site.data.stats.datadir_gb | replace: '$(PRUNED_SIZE)', site.data.stats.pruned_gb | replace: '$(MONTHLY_RANGE_GB)', site.data.stats.monthly_storage_increase_range_gb }} {{ page.full_node_guide }}</p>
8990

91+
92+
<h2 style="text-align: center">{{ page.verify_title }}</h2>
93+
<p>{{ page.verify_steps }}</p>
94+
9095
{% if page.version > 4 %}
9196
<h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.verify_download}}</h2>
9297
<p>{{page.verification_recommended}}</p>
@@ -96,7 +101,9 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
96101
<ol>
97102
<li><p>{{page.download_release}}</p></li>
98103

99-
<li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
104+
<li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS">SHA256SUMS</a></p></li>
105+
106+
<li><p>{{page.download_checksums_sigs}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
100107

101108
<li><p>{{page.cd_to_downloads}}</p>
102109

@@ -111,19 +118,21 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
111118

112119
<li><p>{{page.ensure_checksum_matches}}</p>
113120

114-
<pre class="highlight"><code>type SHA256SUMS.asc</code></pre></li>
121+
<pre class="highlight"><code>type SHA256SUMS</code></pre></li>
115122

116123
<li><p>{{page.install_gpg}} <a
117124
href="{{GPG_WINDOWS_DOWNLOAD_URL}}">{{page.gpg_download_page}}</a>
118125
{{page.gpg_download_other}}
119126
<a href="{{GPG_DOWNLOAD_URL}}">{{page.gpg_download_options}}</a></p></li>
120127

121-
<li><p>{{page.obtain_release_key}}</p>
128+
<li><p>{{page.obtain_release_key | replace: '$(BUILDER_KEYS_URL)', page.builder_keys_url | replace: '$(EXAMPLE_BUILDERS_LINE)', page.example_builders_line}}</p>
122129

123-
<pre class="highlight"><code>{{GPG}}{{site.strings.gpg_keyserver}} --recv-keys {{SIGNING_KEY_FINGERPRINT}}</code></pre>
130+
<pre class="highlight"><code>{{GPG}}{{site.strings.gpg_keyserver}} --recv-keys {{page.example_builder_key}}</code></pre>
124131

125132
<p>{{page.release_key_obtained}}</p></li>
126133

134+
<li><p>{{page.choosing_builders | replace: '$(BUILDER_KEYS_URL)', page.builder_keys_url }}</p></li>
135+
127136
<li>{{page.verify_checksums_file}}
128137

129138
<pre class="highlight"><code>{{GPG}} --verify SHA256SUMS.asc</code></pre></li>
@@ -133,7 +142,7 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
133142
<li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
134143
</ol>
135144

136-
<p>{{page.gpg_trust_warning}}</p></li>
145+
<p>{{page.gpg_trust_warning | replace: '$(SHORT_BUILDER_KEY)', SHORT_BUILDER_KEY }}</p></li>
137146

138147
</ol>
139148
</details>
@@ -143,7 +152,9 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
143152
<ol>
144153
<li><p>{{page.download_release}}</p></li>
145154

146-
<li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
155+
<li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS">SHA256SUMS</a></p></li>
156+
157+
<li><p>{{page.download_checksums_sigs}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
147158

148159
<li><p>{{page.cd_to_downloads}}</p>
149160

@@ -153,7 +164,7 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
153164

154165
<li><p>{{page.verify_download_checksum}}</p>
155166

156-
<pre class="highlight"><code>shasum -a 256 --check SHA256SUMS.asc</code></pre>
167+
<pre class="highlight"><code>shasum -a 256 --check SHA256SUMS</code></pre>
157168

158169
<p>{{page.checksum_warning_and_ok | replace, "$(SHASUMS_OK)", page.localized_checksum_ok}} <code>{{FILE_PREFIX}}{{site.data.binaries.macdmg}}: {{page.localized_checksum_ok}}</code></p></li>
159170

@@ -162,12 +173,14 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
162173
{{page.gpg_download_other}}
163174
<a href="{{GPG_DOWNLOAD_URL}}">{{page.gpg_download_options}}</a></p></li>
164175

165-
<li><p>{{page.obtain_release_key}}</p>
176+
<li><p>{{page.obtain_release_key | replace: '$(BUILDER_KEYS_URL)', page.builder_keys_url | replace: '$(EXAMPLE_BUILDERS_LINE)', page.example_builders_line}}</p>
166177

167-
<pre class="highlight"><code>gpg{{site.strings.gpg_keyserver}} --recv-keys {{SIGNING_KEY_FINGERPRINT}}</code></pre>
178+
<pre class="highlight"><code>gpg{{site.strings.gpg_keyserver}} --recv-keys {{page.example_builder_key}}</code></pre>
168179

169180
<p>{{page.release_key_obtained}}</p></li>
170181

182+
<li><p>{{page.choosing_builders | replace: '$(BUILDER_KEYS_URL)', page.builder_keys_url }}</p></li>
183+
171184
<li>{{page.verify_checksums_file}}
172185

173186
<pre class="highlight"><code>gpg --verify SHA256SUMS.asc</code></pre></li>
@@ -177,7 +190,7 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
177190
<li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
178191
</ol>
179192

180-
<p>{{page.gpg_trust_warning}}</p></li>
193+
<p>{{page.gpg_trust_warning | replace: '$(SHORT_BUILDER_KEY)', SHORT_BUILDER_KEY }}</p></li>
181194
</ol>
182195
</details>
183196

@@ -186,7 +199,9 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
186199
<ol>
187200
<li><p>{{page.download_release}}</p></li>
188201

189-
<li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
202+
<li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS">SHA256SUMS</a></p></li>
203+
204+
<li><p>{{page.download_checksums_sigs}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
190205

191206
<li><p>{{page.cd_to_downloads}}</p>
192207

@@ -196,16 +211,18 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
196211

197212
<li><p>{{page.verify_download_checksum}}</p>
198213

199-
<pre class="highlight"><code>sha256sum --ignore-missing --check SHA256SUMS.asc</code></pre>
214+
<pre class="highlight"><code>sha256sum --ignore-missing --check SHA256SUMS</code></pre>
200215

201216
<p>{{page.checksum_warning_and_ok | replace, "$(SHASUMS_OK)", page.localized_checksum_ok}} <code>{{FILE_PREFIX}}-{{site.data.binaries.lin64}}: {{page.localized_checksum_ok}}</code></p></li>
202217

203-
<li><p>{{page.obtain_release_key}}</p>
218+
<li><p>{{page.obtain_release_key | replace: '$(BUILDER_KEYS_URL)', page.builder_keys_url | replace: '$(EXAMPLE_BUILDERS_LINE)', page.example_builders_line}}</p>
204219

205-
<pre class="highlight"><code>gpg{{site.strings.gpg_keyserver}} --recv-keys {{SIGNING_KEY_FINGERPRINT}}</code></pre>
220+
<pre class="highlight"><code>gpg{{site.strings.gpg_keyserver}} --recv-keys {{page.example_builder_key}}</code></pre>
206221

207222
<p>{{page.release_key_obtained}}</p></li>
208223

224+
<li><p>{{page.choosing_builders | replace: '$(BUILDER_KEYS_URL)', page.builder_keys_url }}</p></li>
225+
209226
<li>{{page.verify_checksums_file}}
210227

211228
<pre class="highlight"><code>gpg --verify SHA256SUMS.asc</code></pre></li>
@@ -215,7 +232,7 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
215232
<li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
216233
</ol>
217234

218-
<p>{{page.gpg_trust_warning}}</p></li>
235+
<p>{{page.gpg_trust_warning | replace: '$(SHORT_BUILDER_KEY)', SHORT_BUILDER_KEY }}</p></li>
219236

220237
</ol>
221238
</details>

_posts/en/pages/2017-01-01-download.md

Lines changed: 39 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ permalink: /en/download/
44
type: pages
55
layout: page
66
lang: en
7-
version: 4
7+
version: 5
88

99
## These strings need to be localized. In the listing below, the
1010
## comment above each entry contains the English text. The key before the
@@ -21,8 +21,10 @@ latestversion: "Latest version:"
2121
download: "Download Bitcoin Core"
2222
# downloados: "Or choose your operating system"
2323
downloados: "Or choose your operating system"
24-
# downloadsig: "Verify release signatures"
25-
downloadsig: "Verify release signatures"
24+
# download_sha: "SHA256 binary hashes"
25+
download_sha: "SHA256 binary hashes"
26+
# download_sig: "SHA256 hash signatures"
27+
download_sig: "SHA256 hash signatures"
2628
# downloadtorrent: "Download torrent"
2729
downloadtorrent: "Download torrent"
2830
# source: "Source code"
@@ -62,25 +64,52 @@ linux_instructions: "Linux verification instructions"
6264
snap_instructions: "Snap package verification instructions"
6365
download_release: "Click the link in the list above to download the release for your platform and wait for the file to finish downloading."
6466
download_checksums: "Download the list of cryptographic checksums:"
67+
download_checksums_sigs: "Download the signatures attesting to validity of the checksums:"
6568
cd_to_downloads: "Open a terminal (command line prompt) and Change Directory (cd) to the folder you use for downloads. For example:"
6669
cd_example_linux: "cd Downloads/"
6770
cd_example_windows: >
6871
cd %UserProfile%\Downloads
6972
7073
verify_download_checksum: "Verify that the checksum of the release file is listed in the checksums file using the following command:"
7174
checksum_warning_and_ok: 'In the output produced by the above command, you can safely ignore any warnings and failures, but you must ensure the output lists "$(SHASUMS_OK)" after the name of the release file you downloaded. For example:'
72-
obtain_release_key: "Obtain a copy of the release signing key by running the following command:"
75+
76+
example_builder_key: "E777299FC265DD04793070EB944D35F9AC3DB76A"
77+
example_builders_line: "E777299FC265DD04793070EB944D35F9AC3DB76A Michael Ford (fanquake)"
78+
builder_keys_url: "https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys"
79+
80+
obtain_release_key: >
81+
Bitcoin releases are signed by a number of individuals, each with a unique public
82+
key. In order to recognize the validity of signatures, you must use GPG to load these
83+
public keys locally. You can find many developer keys listed in the <a
84+
href='$(BUILDER_KEYS_URL)'>bitcoin/bitcoin repository</a>, which you can then load
85+
into your GPG key database. For example, if you saw the line <pre
86+
class='highlight'><code>$(EXAMPLE_BUILDERS_LINE)</code></pre>you could load that key
87+
using this command:
88+
89+
choosing_builders: >
90+
It is recommended that you choose a few individuals from this list who you find
91+
trustworthy and import their keys as above, or import all the keys per the
92+
instructions in the <a href="$(BUILDER_KEYS_URL)"><code>contrib/builder-key</code>
93+
README</a>. You will later use their keys to check the signature attesting to the
94+
validity of the checksums you use to check the binaries.
95+
7396
release_key_obtained: "The output of the command above should say that one key was imported, updated, has new signatures, or remained unchanged."
97+
7498
verify_checksums_file: "Verify that the checksums file is PGP signed by the release signing key:"
75-
check_gpg_output: "Check the output from the above command for the following text:"
99+
100+
check_gpg_output: >
101+
The command above will output a series of signature checks for each of the public
102+
keys that signed the checksums. Each signature will show the following text:
103+
76104
line_starts_with: "A line that starts with:"
77105
complete_line_saying: "A complete line saying:"
106+
78107
gpg_trust_warning: >
79-
The output from the verify command may contain a warning that
80-
the "key is not certified with a trusted signature." This means that
81-
to fully verify your download, you need to ask people you trust to
82-
confirm that the key fingerprint printed above belongs to the Bitcoin
83-
Core Project's release signing key.
108+
The output from the verify command may contain warnings that the "key is not
109+
certified with a trusted signature." This means that to fully verify your download,
110+
you need to confirm that the signing key's fingerprint (e.g.
111+
<code>$(SHORT_BUILDER_KEY)</code>) listed in the second line above matches what
112+
you had expected for the signers public key.
84113
85114
localized_checksum_ok: "OK"
86115
localized_gpg_good_sig: "Good signature"
@@ -140,4 +169,3 @@ key_refresh: "Refresh expired keys using:"
140169
---
141170

142171
{% include templates/download.html %}
143-

0 commit comments

Comments
 (0)