Before you can verify the Bitcoin Core release signature you need to perform two steps:
- Obtain the release you want to use and the corresponding signature file
- Obtain the key the release was signed with
Obtain the release
Download the official tarball release:
You can find the latest source code release tarball here.
Download the file containing the signature over the list of hashes calculated for all files included into the release:
Obtain the key
Every release is signed by one of the core developers. You can find their public keys here. The release in this example was signed by Wladimir J. van der Laan.
Download and import Wladimir’s public key:
gpg --import laanwj.asc
Once imported it can be used to verify the signature.
Having these two steps out of your way you are now ready to verify the tarball. The validation is again a two step process.
1. Verify cryptographic signature of the
SHA256SUMS.asc file containing the set of hashes.
gpg --verify SHA256SUMS.asc
If the signature is valid the output should say “Good signature”:
gpg: Signature made Mon 16 Feb 2015 08:38:00 AM CET using RSA key ID 2346C9A6
gpg: Good signature from "Wladimir J. van der Laan <email@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6
SHA256SUMS.asc file and locate the name of the tarball file you downloaded and corresponding hash value. You are now sure what the correct hash value of your
bitcoin-0.10.0.tar.gz tarball is:
2. Calculate the SHA-256 hash over downloaded tarball:
Compare the result with the validated hash value listed in the verified
SHA256SUMS.asc file. If the hash values are the same you are sure the tarball you have downloaded was not tampered with and it was signed by one of the Bitcoin core developers.