Bitcoin Core release signature verification

Before you can verify the Bitcoin Core release signature you need to perform two steps:

  • Obtain the release you want to use and the corresponding signature file
  • Obtain the key the release was signed with

Obtain the release

Download the official tarball release:

wget https://bitcoin.org/bin/bitcoin-core-0.10.0/bitcoin-0.10.0.tar.gz

You can find the latest source code release tarball here.

Download the file containing the signature over the list of hashes calculated for all files included into the release:

wget https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc

Obtain the key

Every release is signed by one of the core developers. You can find their public keys here. The release in this example was signed by Wladimir J. van der Laan.

Download and import Wladimir’s public key:

wget https://bitcoin.org/laanwj.asc
gpg --import laanwj.asc

Once imported it can be used to verify the signature.

Signature verification

Having these two steps out of your way you are now ready to verify the tarball. The validation is again a two step process.

1. Verify cryptographic signature of the SHA256SUMS.asc file containing the set of hashes.

gpg --verify SHA256SUMS.asc

If the signature is valid the output should say “Good signature”:

gpg: Signature made Mon 16 Feb 2015 08:38:00 AM CET using RSA key ID 2346C9A6
gpg: Good signature from "Wladimir J. van der Laan <laanwj@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6

Open the SHA256SUMS.asc  file and locate the name of the tarball file you downloaded and corresponding hash value. You are now sure what the correct hash value of your bitcoin-0.10.0.tar.gz tarball is:

a516cf6d9f58a117607148405334b35d3178df1ba1c59229609d2bcd08d30624

2. Calculate the SHA-256 hash over downloaded tarball:

sha256sum bitcoin-0.10.0.tar.gz

Compare the result with the validated hash value listed in the verified SHA256SUMS.asc file. If the hash values are the same you are sure the tarball you have downloaded was not tampered with and it was signed by one of the Bitcoin core developers.