No Longer Signed by Release Signing Keys? #22982

issue Silvenga opened this issue on September 15, 2021
  1. Silvenga commented at 1:30 PM on September 15, 2021: none

    Expected behavior

    I might be slightly dense this morning. I noted when updating docker images that there doesn't appear to be a signature from 90C8019E36C2E964 for 22.0. I would expect a signature from this key (or a confirmation that this was done on purpose since this is causing some confusion).

    Actual behavior

    No signature by the published release key.

    To reproduce

    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 01EA5486DE18A882D4C2684590C8019E36C2E964
gpg --verify SHA256SUMS.asc

    Returns:

    gpg: key 90C8019E36C2E964: public key "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

    gpg: assuming signed data in 'SHA256SUMS'
gpg: Signature made Fri Sep 10 06:29:17 2021 CDT
gpg:                using RSA key 0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97D
gpg: Can't check signature: No public key
gpg: Signature made Thu Sep  9 15:09:04 2021 CDT
gpg:                using RSA key 152812300785C96444D3334D17565732E08E5E41
gpg:                issuer "achow101@gmail.com"
gpg: Can't check signature: No public key
gpg: Signature made Thu Sep  9 15:16:18 2021 CDT
gpg:                using RSA key 0AD83877C1F0CD1EE9BD660AD7CC770B81FD22A8
gpg:                issuer "benthecarman@live.com"
gpg: Can't check signature: No public key
gpg: Signature made Fri Sep 10 08:00:35 2021 CDT
gpg:                using RSA key 590B7292695AFFA5B672CBB2E13FC145CD3F4304
gpg:                issuer "darosior@protonmail.com"
gpg: Can't check signature: No public key
gpg: Signature made Thu Sep  9 15:54:01 2021 CDT
gpg:                using RSA key 28F5900B1BB5D1A4B6B6D1A9ED357015286A333D
gpg: Can't check signature: No public key
gpg: Signature made Fri Sep 10 09:26:03 2021 CDT
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made Thu Sep  9 20:04:14 2021 CDT
gpg:                using RSA key CFB16E21C950F67FA95E558F2EEB9F5CC09526C1
gpg:                issuer "fanquake@gmail.com"
gpg: Can't check signature: No public key
gpg: Signature made Fri Sep 10 03:03:16 2021 CDT
gpg:                using RSA key 6E01EEC9656903B0542B8F1003DB6322267C373B
gpg:                issuer "gugger@gmail.com"
gpg: Can't check signature: No public key
gpg: Signature made Thu Sep  9 15:07:53 2021 CDT
gpg:                using RSA key D1DBF2C4B96F2DEBF4C16654410108112E7EA81F
gpg:                issuer "hebasto@gmail.com"
gpg: Can't check signature: No public key
gpg: Signature made Fri Sep 10 02:14:14 2021 CDT
gpg:                using RSA key 82921A4B88FD454B7EB8CE3C796C4109063D4EAF
gpg:                issuer "jon@atack.com"
gpg: Can't check signature: No public key
gpg: Signature made Fri Sep 10 12:33:30 2021 CDT
gpg:                using RSA key 9DEAE0DC7063249FB05474681E4AED62986CD25D
gpg: Can't check signature: No public key
gpg: Signature made Thu Sep  9 15:22:36 2021 CDT
gpg:                using RSA key 9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C
gpg:                issuer "aaron@sipsorcery.com"
gpg: Can't check signature: No public key
gpg: Signature made Fri Sep 10 04:59:33 2021 CDT
gpg:                using RSA key 74E2DEF5D77260B98BC19438099BAD163C70FBFA
gpg:                issuer "will8clark@gmail.com"
gpg: Can't check signature: No public key

    System information

    22.0

  2. Silvenga added the label Bug on Sep 15, 2021
  3. Silvenga commented at 2:03 PM on September 15, 2021: none

    jon@atack.com also doesn't appear to have a GPG key published anywhere to verify against. I don't believe GPG can return success with this new combined set of detached signatures in an automated way - without pulling out signatures.

  4. jonatack commented at 3:03 PM on September 15, 2021: member

    Hi @Silvenga, IIUC that key is no longer used starting with v22.0. There was a related issue https://github.com/bitcoin-core/bitcoincore.org/issues/793 that might be helpful, along with discussion on #bitcoin-core-dev IRC yesterday (https://www.erisian.com.au/bitcoin-core-dev/log-2021-09-14.html).

    My keys are at https://keys.openpgp.org/search?q=jon%40atack.com.

    Maybe see also the two files in https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys.

  5. jonatack commented at 3:05 PM on September 15, 2021: member

    (Good to see that people are verifying!)

  6. Silvenga commented at 3:21 PM on September 15, 2021: none

    Prefect! Thanks for the confirmation!

    And thanks for https://keys.openpgp.org/search?q=jon%40atack.com - I didn't see your key on any of the standard key servers (and they should all sync to each other right?). I've added keys.openpgp.org to my key server list to attempt to get keys from (since it doesn't seem to talk with MIT's or Canonical's key servers) - and that one does give back your key.

  7. Silvenga closed this on Sep 15, 2021
  8. Silvenga commented at 3:26 PM on September 15, 2021: none

    For anyone coming from Google:

    Turns out opengpg.org might return incomplete data for some of these pub keys, asking keyserver.ubuntu.com for the keys, then keys.openpgp.org (for any keys that fail with keyserver.ubuntu.com) is my current working solution.

  9. DrahtBot locked this on Oct 30, 2022
Contributors
Silvengajonatack
Labels
Bug
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-29 03:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me