SHA256SUMS not signed by laanwj #23039

<!-- This issue tracker is only for technical issues related to Bitcoin Core. General bitcoin questions and/or support requests are best directed to the Bitcoin StackExchange at https://bitcoin.stackexchange.com. For reporting security issues, please read instructions at https://bitcoincore.org/en/contact/. If the node is "stuck" during sync or giving "block checksum mismatch" errors, please ensure your hardware is stable by running memtest and observe CPU temperature with a load-test tool such as linpack before creating an issue! -->

<!-- Describe the issue -->

As instructed here: https://bitcoincore.org/en/download/

the releases (SHA256SUMS file) should be signed by laanwj (01EA5486DE18A882D4C2684590C8019E36C2E964).

pi@raspberrypi $ gpg --keyserver hkp://keyserver.ubuntu.com --refresh-keys
...
gpg: Total number processed: 254
gpg:              unchanged: 174
gpg:           new user IDs: 45
gpg:            new subkeys: 64
gpg:         new signatures: 1099

pi@raspberrypi $ gpg --list-keys 01EA5486DE18A882D4C2684590C8019E36C2E964
pub   rsa4096 2015-06-24 [SC] [expires: 2022-02-10]
      01EA5486DE18A882D4C2684590C8019E36C2E964
uid           [ unknown] Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>

pi@raspberrypi $ sha256sum bitcoin-22.0-x86_64-linux-gnu.tar.gz
59ebd25dd82a51638b7a6bb914586201e67db67b919b2a1ff08925a7936d1b16  bitcoin-22.0-x86_64-linux-gnu.tar.gz

pi@raspberrypi $ grep 59ebd25dd82a51638b7a6bb914586201e67db67b919b2a1ff08925a7936d1b16  SHA256SUMS
59ebd25dd82a51638b7a6bb914586201e67db67b919b2a1ff08925a7936d1b16  bitcoin-22.0-x86_64-linux-gnu.tar.gz

pi@raspberrypi $ gpg --verify SHA256SUMS.asc SHA256SUMS 2>&1 | grep -i -e 01EA5486DE18A882D4C2684590C8019E36C2E964 -e laanwj@gmail.com -e 0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97D
gpg:                using RSA key 0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97D

Expected behavior

I expected to see laanwj key id or email address in the output of the gpg SHA256SUMS.asc verification.

Actual behavior

The laanwj key was not indicated as having signed SHA256SUMS.asc (I added the other id 0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97D as a test).

To reproduce

gpg --keyserver hkp://keyserver.ubuntu.com --refresh-key
gpg --list-keys 01EA5486DE18A882D4C2684590C8019E36C2E964
wget https://bitcoincore.org/bin/bitcoin-core-22.0/bitcoin-22.0-x86_64-linux-gnu.tar.gz
sha256sum bitcoin-22.0-x86_64-linux-gnu.tar.gz
wget https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS.asc
wget https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS
gpg --verify SHA256SUMS.asc 2>&1 | grep -i -e 01EA5486DE18A882D4C2684590C8019E36C2E964 -e laanwj@gmail.com -e 0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97

System information

<!-- What version of Bitcoin Core are you using, where did you get it (website, self-compiled, etc)? -->

bitcoin-22.0-x86_64-linux-gnu

wget https://bitcoincore.org/bin/bitcoin-core-22.0/SHA256SUMS.asc

<!-- What type of machine are you observing the error on (OS/CPU and disk type)? -->

raspberry pi

<!-- GUI-related issue? What is your operating system and its version? If Linux, what is your desktop environment and graphical shell? -->

not gui related

<!-- Any extra information that might be useful in the debugging process. -->

<!--- This is normally the contents of a `debug.log` or `config.log` file. Raw text or a link to a pastebin type site are preferred. -->

ah, I see what happened now... checking how 0.21.1 was done:

pi@raspberrypi:~/dev/bitcoin/bitcoin_org_wallet/0.21.1 $ wget https://bitcoincore.org/bin/bitcoin-core-0.21.1/SHA256SUMS.asc
--2021-09-20 04:00:44--  https://bitcoincore.org/bin/bitcoin-core-0.21.1/SHA256SUMS.asc
Resolving bitcoincore.org (bitcoincore.org)... 198.251.83.116, 107.191.99.5
Connecting to bitcoincore.org (bitcoincore.org)|198.251.83.116|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1778 (1.7K) [application/octet-stream]
Saving to: ‘SHA256SUMS.asc.1’

SHA256SUMS.asc.1                                100%[======================================================================================================>]   1.74K  --.-KB/s    in 0s

2021-09-20 04:00:44 (8.34 MB/s) - ‘SHA256SUMS.asc.1’ saved [1778/1778]

pi@raspberrypi:~/dev/bitcoin/bitcoin_org_wallet/0.21.1 $ wget https://bitcoincore.org/bin/bitcoin-core-0.21.1/SHA256SUMS
--2021-09-20 04:00:46--  https://bitcoincore.org/bin/bitcoin-core-0.21.1/SHA256SUMS
Resolving bitcoincore.org (bitcoincore.org)... 198.251.83.116, 107.191.99.5
Connecting to bitcoincore.org (bitcoincore.org)|198.251.83.116|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2021-09-20 04:00:47 ERROR 404: Not Found.

pi@raspberrypi:~/dev/bitcoin/bitcoin_org_wallet/0.21.1 $ gpg --verify SHA256SUMS.asc
gpg: Signature made Sat 01 May 2021 19:33:58 UTC
gpg:                using RSA key 90C8019E36C2E964
gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964


pi@raspberrypi:~/dev/bitcoin/bitcoin_org_wallet/0.21.1 $ cat SHA256SUMS.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

28264751c982d30b9330e6c1475ddb9ed28be6a2601e8a5f33b6ba49a3d9f5f2  bitcoin-0.21.1-aarch64-linux-gnu.tar.gz
3a92e312ffd3ca92579d46ec52e3dcb1b09bbdd11fe7c6a735e8546c7d9975e0  bitcoin-0.21.1-arm-linux-gnueabihf.tar.gz
1ea5cedb64318e9868a66d3ab65de14516f9ada53143e460d50af428b5aec3c7  bitcoin-0.21.1-osx64.tar.gz
2df15131cd18fd1941adc26f014012b437ccaadab39f1f5dc10282a68e8f9923  bitcoin-0.21.1-osx.dmg
259d74f13271dc51eb4db4b733fb1589038ff7819e849d2351e899f67de218c5  bitcoin-0.21.1-riscv64-linux-gnu.tar.gz
caff23449220cf45753f312cefede53a9eac64000bb300797916526236b6a1e0  bitcoin-0.21.1.tar.gz
afdd0f1717a74af01b88631d17a2f29f89d21ca2e3be0fec0678e7a1e20712d5  bitcoin-0.21.1-win64-setup-unsigned.exe
94c80f90184cdc7e7e75988a55b38384de262336abd80b1b30121c6e965dc74e  bitcoin-0.21.1-win64.zip
366eb44a7a0aa5bd342deea215ec19a184a11f2ca22220304ebb20b9c8917e2b  bitcoin-0.21.1-x86_64-linux-gnu.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJgja0mAAoJEJDIAZ42wulkV+IQAI84JuMhIs5muAqTX6G/sxPV
sJ2RJ5aansLEcnFQrrmUNqXpGRB+yiCwlUg9cXLV6zKQkdmDnSuqhTGbivFDLoO3
WeEcQdvkUEodHOk9NK8AVB8NGRK2lkevij4OK0jUUdSVg31dJsygs09TKQGmfXKJ
QnGR7Oz4h/BExrzYfC6PY3AYVJXOkVR86hb2w4r33xNy9DMkvxqbX+B9v1fvqO/V
arcPriVKd0YiEi5nIV5/4ghkHGPAakXzd49DgxW8BVXXqPILBS/MatjgQ5BWJWpK
p4B6V0FYJ2ZpvaTWNBOllUTNRq7YACcKSAEyW3cD9aNPz4o8mb3O7LMr+qb2z0+4
KZuubmOT3sJD37nsZ7DfmERQ7hFYHdlqvthCEQQyglasEZrsLnuCJQNGOSAT+ixM
8jPf3XFDNWm3QFS5icAmykzOWSV4Z0WcQfDjIRbcoXR09N5PgYavhSiwPqpfQ94/
q2igiMmIPH8rlRySc9fKfpYomkWP4W1vfm/wIeSrNm2oNeedL4/4zcv4v6mmnQhO
+i1Npk1TY9+pMAh5xrjUxw3W1QgpVxttIlRmKw6StpVB2Lxl+bGAXp5N7hA8znWX
3AHSDYcdIVEpjvAWGpNPspsyrDv42zElgR8PqS462d/Go6HHhIqd+wHoRIEJTfXM
m6bC44Ak09Ayxu4IxxBw
=5612
-----END PGP SIGNATURE-----
pi@raspberrypi:~/dev/bitcoin/bitcoin_org_wallet/0.21.1 $ sha256sum bitcoin-0.21.1-x86_64-linux-gnu.tar.gz
366eb44a7a0aa5bd342deea215ec19a184a11f2ca22220304ebb20b9c8917e2b  bitcoin-0.21.1-x86_64-linux-gnu.tar.gz

Closely related issues. I guess the answer to my issue is that I should no longer demand/expect a signature by laanwj (it doesn't exist), and instead figure out a trust path to one or more of the new long list of signers.

bitcoin

https://github.com/bitcoin/bitcoin/issues 22965 Unable to verify Bitcoin Core 22.0 with the latest SHASUM256.asc #22965

https://github.com/bitcoin/bitcoin/issues 22982 No Longer Signed by Release Signing Keys? #22982

https://github.com/bitcoin/bitcoin/issues 22634 v22.0 testing #22634

bitcoin-core

https://github.com/bitcoin-core/bitcoincore.org/issues 793 Signature verification instructions needs updating. #793

ruimarinho

https://github.com/ruimarinho/docker-bitcoin-core/pull 124 Added bitcoin-core 22.0 #124

ah, now I see a laanwj apparently signed with a different key/email:

pi@raspberrypi:~/dev/bitcoin/bitcoin_org_wallet $ gpg --verify SHA256SUMS.asc 2>&1 | grep "using RSA key" | tr -s ' ' | cut -d ' ' -f5 | xargs gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys
gpg: key 099BAD163C70FBFA: public key "Will Clark <will8clark@gmail.com>" imported
gpg: key 0A41BDC3F4FAFF1C: public key "Aaron Clauson (sipsorcery) <aaron@sipsorcery.com>" imported
gpg: key 74810B012346C9A6: public key "Wladimir J. van der Laan <laanwj@visucore.com>" imported
gpg: key 410108112E7EA81F: public key "Hennadii Stepanov (GitHub key) <32963518+hebasto@users.noreply.github.com>" imported
gpg: key 8E4256593F177720: public key "Oliver Gugger <gugger@gmail.com>" imported
gpg: key 944D35F9AC3DB76A: public key "Michael Ford (bitcoin-otc) <fanquake@gmail.com>" imported
gpg: key 2EBB056FD847F8A7: public key "Stephan Oeste (it) <it@oeste.de>" imported
gpg: key C37B1C1D44C786EE: public key "Duncan Dean <duncangleeddean@gmail.com>" imported
gpg: key E13FC145CD3F4304: public key "Antoine Poinsot <darosior@protonmail.com>" imported
gpg: key D7CC770B81FD22A8: public key "Ben Carman <benthecarman@live.com>" imported
gpg: key 17565732E08E5E41: public key "Andrew Chow (Official New Key) <achow101@gmail.com>" imported
gpg: key 188CBB2648416AD5: public key ".0xB10C <0xb10c@gmail.com>" imported
gpg: Total number processed: 12
gpg:               imported: 12

Yes, it's signed with my key, as well as that of the other builders'. The "release key" will no longer be used for >22.0.