Merge #549: Downloads: add binary verification instructions

37dbc30 Download: link directly to installable GPG suits for Mac & Win (David A. Harding)
0387192 Downloads: add binary verification instructions (David A. Harding)
fcb86e9 CSS: remove 'summary' tag from special block formatting (David A. Harding)
76e7161 Stats: increase block chain size to 210 GiB (David A. Harding)

Pull request description:

  Closes #544

  Preview: http://dg3.dtrt.org/en/download/
  **Note:** files in the /bin/ directory are not available on the above preview site; that's expected since they're not part of the repository.  To test this PR, download the necessary binary file and SHA256SUMS file from the real https://bitcoincore.org/en/download/

  This PR adds instructions to the *Download* page for verifying Bitcoin Core binaries on Windows, MacOS, and Linux.  Also included are a short note about why we can't provide instructions for verifying the Ubuntu PPA[1] and a brief overview of additional verification that can be done through looking at the Gitian sigs or reproducing a build yourself.

  I believe the Linux instructions are correct.  Windows or MacOS need testing as I don't have either system available for testing and so I based by instructions on random StackExchange answers and documentation from other projects (Tor having [the best I found](https://www.torproject.org/docs/verifying-signatures.html.en)).

  The instructions are gated by an if statement that only displays them on translations that have updated to support the required strings (this is only English in this PR, so they don't display on the Japanese translation for now).

  [1] From my research, it seems that the GPG key that signs the PPA package belongs to the Ubuntu infrastructure, not the package maintainer, so I don't see any probative value in authenticating it. And that problem is in addition to the packages not being built reproducibly through Gitian, so I decided to give up on providing any instructions for PPA package verification.  If anyone knows a way to get stronger package authentication for PPA users, let me know.

Tree-SHA512: 14834ea23304ac049268a480cb02e670318d2bc48f0079ca3a8c882ef9277fd4287f562c7db533a666ef0149630d56b937c46e819866bf81ec0a754510c096d9

Author: harding

_data/stats.yml

@@ -1,7 +1,7 @@
 ## Size of the Bitcoin Core data directory running with default settings.
 ## Suggest rounding up by about 10% so it doesn't need to be updated
 ## too often.
-datadir_gb: "180"
+datadir_gb: "210"
 
 ## Size of the datadir with the maximum allowed pruning enabled.
 ## Suggest rounding up a little bit to give room for growth in the UTXO

_includes/templates/download.html

@@ -1,13 +1,19 @@
 {% capture /dev/null %}<!-- suppress render of this part -->
 <!-- Copyright 2013 - 2016 The Bitcoin.org Project.
-     Copyright 2017 The BitcoinCore.org Project
+     Copyright 2017 - 2018 The BitcoinCore.org Project
      This file is licensed under the MIT License (MIT) available on
      http://opensource.org/licenses/MIT. -->
 {% assign VERSION_SORTED_RELEASES = site.releases | sort: 'release' | reverse %}
 {% capture CURRENT_RELEASE %}{% for subver in VERSION_SORTED_RELEASES[0].release %}{{subver}}{% unless forloop.last %}.{% endunless %}{% endfor %}{% endcapture %}
 {% assign magnet = VERSION_SORTED_RELEASES[0].optional_magnetlink %}
 {% capture PATH_PREFIX %}/bin/bitcoin-core-{{CURRENT_RELEASE}}{% endcapture %}
 {% capture FILE_PREFIX %}bitcoin-{{CURRENT_RELEASE}}{% endcapture %}
+{% assign SIGNING_KEY_FINGERPRINT = "01EA5486DE18A882D4C2684590C8019E36C2E964" %}
+{% capture SIGNING_KEY_FINGERPRINT_EXPLODED %}{% include fingerprint-split.html hex=SIGNING_KEY_FINGERPRINT %}{% endcapture %}
+{% assign GPG_DOWNLOAD_URL = "https://www.gnupg.org/download/index.en.html#binary" %}
+{% assign GPG_MACOS_DOWNLOAD_URL = "https://gpgtools.org/" %}
+{% assign GPG_WINDOWS_DOWNLOAD_URL = "https://gpg4win.org/download.html" %}
+{% assign GITIAN_REPOSITORY_URL = "https://github.com/bitcoin-core/gitian.sigs" %}
 {% endcapture %}
 <link rel="alternate" type="application/rss+xml" href="/en/releasesrss.xml" title="Bitcoin Core releases">
 <div class="download">
@@ -74,14 +80,173 @@ <h2>{{ page.latestversion }} {{CURRENT_RELEASE}} <a type="application/rss+xml" h
     </p>
     <p class="downloadkeys">
       <span>{{ page.releasekeys }}</span>
-      <a href="/keys/laanwj-releases.asc">v0.11.0+</a>
+      <a href="/keys/laanwj-releases.asc">v0.11.0+</a> <code title="{{page.pgp_key_fingerprint}}">{{SIGNING_KEY_FINGERPRINT}}</code>
     </p>
   </div>
 
-  <h2><img src="/assets/images/icons/note.svg" class="warningicon" alt="note">{{ page.patient }}</h2>
-  <p>{{ page.notesync | replace: '$(DATADIR_SIZE)', site.data.stats.datadir_gb | replace: '$(PRUNED_SIZE)', site.data.stats.pruned_gb | replace: '$(MONTHLY_RANGE_GB)', site.data.stats.monthly_storage_increase_range_gb }} {{ page.full_node_guide }}</p>
-  <p>{{ page.notelicense }}</p>
 </div>
+
+  <h2 style="text-align: center">{{ page.patient }}</h2>
+  <p>{{ page.notesync | replace: '$(DATADIR_SIZE)', site.data.stats.datadir_gb | replace: '$(PRUNED_SIZE)', site.data.stats.pruned_gb | replace: '$(MONTHLY_RANGE_GB)', site.data.stats.monthly_storage_increase_range_gb }} {{ page.full_node_guide }}</p>
+
+{% if page.version > 1 %}
+  <h2 style="text-align: center">{{page.verify_download}}</h2>
+  <p>{{page.verification_recommended}}</p>
+  <details>
+  {% assign GPG = "C:\Program Files\Gnu\GnuPg\gpg.exe" %}
+    <summary><strong>{{page.windows_instructions}}</strong></summary>
+    <ol>
+      <li><p>{{page.download_release}}</p></li>
+
+      <li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
+
+      <li><p>{{page.cd_to_downloads}}</p>
+
+        <pre class="highlight"><code>{{page.cd_example_windows}}</code></pre>
+
+        </li>
+
+      {% capture windows_example_binary %}{{FILE_PREFIX}}-{{site.data.binaries.win64exe}}{% endcapture %}
+      <li><p>{{page.generate_checksum | replace: "$(FILE)", windows_example_binary}}</p>
+
+        <pre class="highlight"><code>certUtil -hashfile {{windows_example_binary}} SHA256</code></pre></li>
+
+      <li><p>{{page.ensure_checksum_matches}}</p>
+
+        <pre class="highlight"><code>type SHA256SUMS.asc</code></pre></li>
+
+      <li><p>{{page.install_gpg}} <a
+      href="{{GPG_WINDOWS_DOWNLOAD_URL}}">{{page.gpg_download_page}}</a>
+      {{page.gpg_download_other}}
+      <a href="{{GPG_DOWNLOAD_URL}}">{{page.gpg_download_options}}</a></p></li>
+
+      <li><p>{{page.obtain_release_key}}</p>
+
+        <pre class="highlight"><code>{{GPG}} --recv-keys {{SIGNING_KEY_FINGERPRINT}}</code></pre>
+
+        <p>{{page.release_key_obtained}}</p></li>
+
+      <li>{{page.verify_checksums_file}}
+
+        <pre class="highlight"><code>{{GPG}} --verify SHA256SUMS.asc</code></pre></li>
+
+      <li><p>{{page.check_gpg_output}}</p>
+        <ol><li><p>{{page.line_starts_with}} <code>gpg: {{page.localized_gpg_good_sig}}</code></p></li>
+          <li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
+        </ol>
+
+        <p>{{page.gpg_trust_warning}}</p></li>
+
+    </ol>
+  </details>
+  <details>
+    {% assign GPG = "gpg" %}
+    <summary><strong>{{page.macos_instructions}}</strong></summary>
+    <ol>
+      <li><p>{{page.download_release}}</p></li>
+
+      <li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
+
+      <li><p>{{page.cd_to_downloads}}</p>
+
+        <pre class="highlight"><code>{{page.cd_example_linux}}</code></pre>
+
+        </li>
+
+      <li><p>{{page.verify_download_checksum}}</p>
+
+        <pre class="highlight"><code>shasum -a 256 --check SHA256SUMS.asc</code></pre>
+
+        <p>{{page.checksum_warning_and_ok | replace, "$(SHASUMS_OK)", page.localized_checksum_ok}} <code>{{FILE_PREFIX}}{{site.data.binaries.macdmg}}: {{page.localized_checksum_ok}}</code></p></li>
+
+      <li><p>{{page.install_gpg}} <a
+      href="{{GPG_MACOS_DOWNLOAD_URL}}">{{page.gpg_download_page}}</a>
+      {{page.gpg_download_other}}
+      <a href="{{GPG_DOWNLOAD_URL}}">{{page.gpg_download_options}}</a></p></li>
+
+      <li><p>{{page.obtain_release_key}}</p>
+
+        <pre class="highlight"><code>gpg --recv-keys {{SIGNING_KEY_FINGERPRINT}}</code></pre>
+
+        <p>{{page.release_key_obtained}}</p></li>
+
+      <li>{{page.verify_checksums_file}}
+
+        <pre class="highlight"><code>gpg --verify SHA256SUMS.asc</code></pre></li>
+
+      <li><p>{{page.check_gpg_output}}</p>
+        <ol><li><p>{{page.line_starts_with}} <code>gpg: {{page.localized_gpg_good_sig}}</code></p></li>
+          <li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
+        </ol>
+
+        <p>{{page.gpg_trust_warning}}</p></li>
+    </ol>
+  </details>
+
+  <details>
+    <summary><strong>{{page.linux_instructions}}</strong></summary>
+    <ol>
+      <li><p>{{page.download_release}}</p></li>
+
+      <li><p>{{page.download_checksums}} <a href="{{ PATH_PREFIX }}/SHA256SUMS.asc">SHA256SUMS.asc</a></p></li>
+
+      <li><p>{{page.cd_to_downloads}}</p>
+
+        <pre class="highlight"><code>{{page.cd_example_linux}}</code></pre>
+
+        </li>
+
+      <li><p>{{page.verify_download_checksum}}</p>
+
+        <pre class="highlight"><code>sha256sum --ignore-missing --check SHA256SUMS.asc</code></pre>
+
+        <p>{{page.checksum_warning_and_ok | replace, "$(SHASUMS_OK)", page.localized_checksum_ok}} <code>{{FILE_PREFIX}}-{{site.data.binaries.lin64}}: {{page.localized_checksum_ok}}</code></p></li>
+
+      <li><p>{{page.obtain_release_key}}</p>
+
+        <pre class="highlight"><code>gpg --recv-keys {{SIGNING_KEY_FINGERPRINT}}</code></pre>
+
+        <p>{{page.release_key_obtained}}</p></li>
+
+      <li>{{page.verify_checksums_file}}
+
+        <pre class="highlight"><code>gpg --verify SHA256SUMS.asc</code></pre></li>
+
+      <li><p>{{page.check_gpg_output}}</p>
+        <ol><li><p>{{page.line_starts_with}} <code>gpg: {{page.localized_gpg_good_sig}}</code></p></li>
+          <li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
+        </ol>
+
+        <p>{{page.gpg_trust_warning}}</p></li>
+
+    </ol>
+  </details>
+
+  <details>
+    <summary><strong>{{page.ubuntu_ppa_instructions}}</strong></summary>
+
+    <p>{{page.ubuntu_notice}}</p>
+
+    <blockquote>{{page.ubuntu_ppa_quote}}</blockquote>
+  </details>
+
+  <h2 style="text-align: center">{{page.build_reproduction}}</h2>
+
+  <p>{{page.additional_steps}}</p>
+
+  <ul>
+    <li><p><em>{{page.reproducible_builds}}</em> {{page.build_identical_binaries}}</p></li>
+
+    <li><p><em>{{page.verified_reproduction}}</em> {{page.independently_reproducing}}</p></li>
+  </ul>
+
+  <p>{{page.verifying_and_reproducing}} <a href="{{GITIAN_REPOSITORY_URL}}">{{page.gitian_repository}}</a>.</p>
+{% endif %}{% comment %}END VERSION > 1 CONTENT{% endcomment %}
+
+<hr>
+
+<p>{{ page.notelicense }}</p>
+
 <script type="text/javascript">
 var os = 'windows32';
 if (navigator.userAgent.indexOf('Mac') != -1) var os = 'mac'

_posts/en/pages/2017-01-01-download.md

@@ -5,7 +5,7 @@ type: pages
 layout: page
 lang: en
 share: false
-version: 1
+version: 2
 
 ## These strings need to be localized.  In the listing below, the
 ## comment above each entry contains the English text.  The key before the
@@ -54,6 +54,93 @@ patient: "Check your bandwidth and space"
 # releasekeys: "Bitcoin Core Release Signing Keys"
 releasekeys: "Bitcoin Core Release Signing Keys"
 
+pgp_key_fingerprint: "PGP key fingerprint"
+verify_download: "Verify your download"
+verification_recommended: "Download verification is optional but highly recommended.  Click one of the lines below to view verification instructions for that platform."
+windows_instructions: "Windows verification instructions"
+macos_instructions: "MacOS verification instructions"
+linux_instructions: "Linux verification instructions (not for Ubuntu PPA)"
+ubuntu_ppa_instructions: "Ubuntu PPA verification instructions"
+download_release: "Click the link in the list above to download the release for your platform and wait for the file to finish downloading."
+download_checksums: "Download the list of cryptographic checksums:"
+cd_to_downloads: "Open a terminal (command line prompt) and Change Directory (cd) to the folder you use for downloads.  For example:"
+cd_example_linux: "cd Downloads/"
+cd_example_windows: >
+  cd %UserProfile%\Downloads
+
+verify_download_checksum: "Verify that the checksum of the release file is listed in the checksums file using the following command:"
+checksum_warning_and_ok: 'In the output produced by the above command, you can safely ignore any warnings and failures, but you must ensure the output lists "$(SHASUMS_OK)" after the name of the release file you downloaded.  For example:'
+obtain_release_key: "Obtain a copy of the release signing key by running the following command:"
+release_key_obtained: "The output of the command above should say that one key was imported, updated, has new signatures, or remained unchanged."
+verify_checksums_file: "Verify that the checksums file is PGP signed by the release signing key:"
+check_gpg_output: "Check the output from the above command for the following text:"
+line_starts_with: "A line that starts with:"
+complete_line_saying: "A complete line saying:"
+gpg_trust_warning: >
+  The output from the verify command may contain a warning that
+  the "key is not certified with a trusted signature." This means that
+  to fully verify your download, you need to ask people you trust to
+  confirm that the key fingerprint printed above belongs to the Bitcoin
+  Core Project's release signing key.
+
+localized_checksum_ok: "OK"
+localized_gpg_good_sig: "Good signature"
+localized_gpg_primary_fingerprint: "Primary key fingerprint:"
+
+install_gpg: "If you haven't previously installed GNU Privacy Guard (GPG) on your system,"
+gpg_download_page: "install it now"
+gpg_download_other: "or see other installation"
+gpg_download_options: "options."
+
+ensure_checksum_matches: >
+  Ensure that the checksum produced by the command above matches one of
+  the checksums listed in the checksums file you downloaded earlier.  We
+  recommend that you check every character of the two checksums to
+  ensure they match.  You can see the checksums you downloaded by
+  running the following command:
+
+generate_checksum: "Run the following command to generate a checksum of the release file you downloaded.  Replace '$(FILE)' with the name of the file you actually downloaded."
+
+ubuntu_notice: >
+  Ubuntu PPAs are not built using the same reproducible method used for
+  the other Bitcoin Core packages listed on this page, so the Bitcoin
+  Core project does not have the information necessary to help you
+  verify the Bitcoin Core Ubuntu PPA packages.  This situation is also
+  described by the PPA itself:
+
+ubuntu_ppa_quote: >
+  "Note that you should prefer to use the official binaries, where
+  possible, to limit trust in Launchpad/the PPA owner."
+
+build_reproduction: "Additional verification with reproducible builds"
+additional_steps: >
+  Experienced users who don't mind performing additional steps can take
+  advantage of Bitcoin Core's reproducible builds and the signed
+  checksums generated by contributors who perform those builds.
+
+reproducible_builds: "Reproducible builds"
+build_identical_binaries: >
+  allow anyone with a copy of Bitcoin Core's MIT-licensed source code to
+  build identical binaries to those distributed on this website (meaning
+  the binaries will have the same cryptographic checksums as those
+  provided by this website).
+
+verified_reproduction: "Verified reproduction"
+independently_reproducing: >
+  is the result of multiple Bitcoin Core contributors each independently
+  reproducing identical binaries as described above.  These contributors
+  cryptographically sign and publish the checksums of the binaries they
+  generate.
+verifying_and_reproducing: >
+  Verifying that several contributors you trust all signed the same
+  checksums distributed in the release checksums file will provide you
+  with additional assurances over the preceding basic verification
+  instructions.  Alternatively, reproducing a binary for yourself will
+  provide you with the highest level of assurance currently available.
+  For more information, visit the project's repository of
+
+gitian_repository: "trusted build process signatures"
+
 
 ---
 

_sass/normalize.scss

@@ -18,8 +18,7 @@ header,
 hgroup,
 main,
 nav,
-section,
-summary {
+section {
     display: block;
 }