contrib: allow multi-sig binary verification v2

theuni commented at 9:10 pm on March 28, 2023: member

Following up on #23020 from jamesob with achow101’s additional features on top.

Both mentioned that they will be away for the next few weeks, so this is intended to keep review going.

All credit to the jamesob and achow101. See #23020 for the original description and here for the added features.

I squashed the last commit from https://github.com/achow101/bitcoin/tree/pr23020-direct-bins-gpg-parse into the first commit here.

Fetching and local verification seem to work as intended for me.

DrahtBot commented at 9:10 pm on March 28, 2023: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	josibake

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

No conflicts as of last run.

DrahtBot added the label Scripts and tools on Mar 28, 2023

contrib: verifybinaries: allow multisig verification

This commit adds the functionality necessary to transition from
doing binary verification on the basis of a single signature to
requiring a minimum threshold of trusted signatures.

A signature can appear as "good" from GPG output, but it may not come
from an identity the user trusts. We call these "good, untrusted"
signatures.

We report bad signatures but do not necessarily fail in their presence,
since a bad signature might coexist with enough good, trusted signatures
to fulfill our criteria.

If "--import-keys" is enabled, we will prompt the user to
optionally try to retrieve unknown keys. Marking them as trusted locally
is a WIP, but keys which are retrieved successfully and appear on the
builder-keys list will immediately count as being useful towards
fulfilling the threshold.

Logging is improved and an option to output JSON that summarizes the
whole sum signature and binary verification processes has been added.

Co-authored-by: Russ Yanofsky <russ@yanofsky.org>
Co-authored-by: willcl-ark <will8clark@gmail.com>

37c9fb7a59

contrib: Refactor verifbinaries to support subcommands

Prepares for the option to provide local binaries, sha256sums, and
signatures directly.

17575c0efa

contrib: Specify to GPG the SHA256SUMS file that is detached signed e4d5778228

contrib: Add verifybinaries command for specifying files to verify

In addition to verifying the published releases with the `pub` command,
the verifybinaries script is updated to take a `bin` command where the
user specifies the local files, sums, and sigs to verify.

6b2cebfa2f

contrib: Use machine parseable GPG output in verifybinaries

GPG has an option to provide machine parseable output. Use that instead
of trying to parse the human readable output.

7a6e7ffd06

in contrib/verifybinaries/README.md:20 in dd6b1ce5d9 outdated

19 
20-The script returns 0 if everything passes the checks. It returns 1 if either the signature check or the hash check doesn't pass. If an error occurs the return value is 2.
21+You can obtain these keys by
22+  - through a browser using a key server (e.g. keyserver.ubuntu.com),
23+  - manually using the `gpg --keyserver <url> --recv-keys <key>` command, or
24+  - you can run the packaged `verifybinaries.py ... --import-keys` script to

hebasto commented at 9:22 pm on March 28, 2023:

2e187ffafc9cb0490eedd079ce1cfffafecd9dba: trailing whitespace

0  - you can run the packaged `verifybinaries.py ... --import-keys` script to

theuni force-pushed on Mar 28, 2023

fanquake added this to the milestone 25.0 on Mar 29, 2023

in contrib/verifybinaries/test.py:1 in 7a6e7ffd06 outdated

0@@ -0,0 +1,59 @@
1+#!/usr/bin/env python3

TheCharlatan commented at 7:16 am on March 29, 2023:

nittiest of nits: There already is a verify-commits, so I think the directory should be verify-binaries.

josibake commented at 10:05 am on April 6, 2023:

+1

theuni commented at 8:14 pm on April 6, 2023:

Makes sense to me but I’d rather keep the changes down in this PR. Let’s do as a follow-up?

in contrib/verifybinaries/README.md:20 in 7a6e7ffd06 outdated

19 
20-The script returns 0 if everything passes the checks. It returns 1 if either the signature check or the hash check doesn't pass. If an error occurs the return value is 2.
21+You can obtain these keys by
22+  - through a browser using a key server (e.g. keyserver.ubuntu.com),
23+  - manually using the `gpg --keyserver <url> --recv-keys <key>` command, or
24+  - you can run the packaged `verifybinaries.py ... --import-keys` script to

TheCharlatan commented at 7:28 am on March 29, 2023:

Where is this packaging step renaming verify.py to verifybinaries.py defined?

theuni commented at 9:17 pm on April 4, 2023:

Not sure what you mean, I think this just intends to say verify.py ?

TheCharlatan commented at 10:04 am on April 6, 2023:

I was inferring that there may be some undocumented step copying and renaming this file into the distributed tar archives for verification purposes. If this is not the case, then I think this indeed should just say verify.py.

in contrib/verifybinaries/README.md:45 in 7a6e7ffd06 outdated

44+
45+#### Examples
46+
47+Validate releases with default settings:
48+```sh
49+./contrib/verifybinaries/verify.py 22.0

TheCharlatan commented at 7:42 am on March 29, 2023:

These examples lack the the pub or bin args, no?

in contrib/verifybinaries/README.md:47 in 7a6e7ffd06 outdated

46+
47+Validate releases with default settings:
48+```sh
49+./contrib/verifybinaries/verify.py 22.0
50+./contrib/verifybinaries/verify.py 22.0-rc2
51+./contrib/verifybinaries/verify.py bitcoin-core-23.0

TheCharlatan commented at 7:47 am on March 29, 2023:

What is the rationale for adding the bitcoin-core prefix to the example?

theuni commented at 7:57 pm on March 30, 2023:

This isn’t clear to me either.

fanquake commented at 11:23 am on March 31, 2023:

I mentioned in the original PR, that I think this can just be dropped. We know we are downloading bitcoin-core, so I’m not sure why we need to support anything other than just passing in a version number.

TheCharlatan commented at 8:17 am on March 29, 2023: contributor

Fetching and local verification seem to work as intended for me.

Can you post your commands? Nothing is currently working as advertised in the README for me ^^.

willcl-ark commented at 9:33 am on March 29, 2023: contributor

@TheCharlatan I see it working using e.g. the pub subcommand. You need to choose pub or bin to verify either the publicly-hosted binaries, or bin for a local binary. But you are correct the docs are now outdated…

 0₿ ./contrib/verifybinaries/verify.py pub bitcoin-core-23.0-x86_64
 1[INFO] got file https://bitcoincore.org/bin/bitcoin-core-23.0/SHA256SUMS.asc as SHA256SUMS.asc
 2[WARNING] https://bitcoin.org failed to provide file (https://bitcoin.org/bin/bitcoin-core-23.0/SHA256SUMS.asc). Continuing based solely upon https://bitcoincore.org.
 3[INFO] got file https://bitcoincore.org/bin/bitcoin-core-23.0/SHA256SUMS as SHA256SUMS
 4[WARNING] https://bitcoin.org failed to provide file (https://bitcoin.org/bin/bitcoin-core-23.0/SHA256SUMS). Continuing based solely upon https://bitcoincore.org.
 5[INFO] got 17 good signatures
 6[INFO] GOOD SIGNATURE (untrusted): SigData('17565732E08E5E41', 'Andrew Chow <andrew@achow101.com>', trusted=False, status='')
 7[INFO] GOOD SIGNATURE (untrusted): SigData('D7CC770B81FD22A8', 'Ben Carman <benthecarman@live.com>', trusted=False, status='expired')
 8[INFO] GOOD SIGNATURE (untrusted): SigData('E13FC145CD3F4304', 'Antoine Poinsot <darosior@protonmail.com>', trusted=False, status='')
 9[INFO] GOOD SIGNATURE (untrusted): SigData('ED357015286A333D', 'Duncan Dean <duncangleeddean@gmail.com>', trusted=False, status='')
10[INFO] GOOD SIGNATURE (untrusted): SigData('3152347D07DA627C', 'Stephan Oeste (it) <it@oeste.de>', trusted=False, status='')
11[INFO] GOOD SIGNATURE (untrusted): SigData('2EEB9F5CC09526C1', 'Michael Ford (bitcoin-otc) <fanquake@gmail.com>', trusted=False, status='')
12[INFO] GOOD SIGNATURE (untrusted): SigData('8E4256593F177720', 'Oliver Gugger <gugger@gmail.com>', trusted=False, status='')
13[INFO] GOOD SIGNATURE (untrusted): SigData('410108112E7EA81F', 'Hennadii Stepanov (GitHub key) <32963518+hebasto@users.noreply.github.com>', trusted=False, status='')
14[INFO] GOOD SIGNATURE (untrusted): SigData('D11BD4F33F1DB499', 'jackielove4u <jackielove4u@hotmail.com>', trusted=False, status='')
15[INFO] GOOD SIGNATURE (untrusted): SigData('DD78544CF91B1514', 'Jonas Ott (jonas-ott) <git@jonas-ott.de>', trusted=False, status='')
16[INFO] GOOD SIGNATURE (untrusted): SigData('F62711DBDCA8AE56', 'Dimitri <kvaciral@protonmail.com>', trusted=False, status='')
17[INFO] GOOD SIGNATURE (untrusted): SigData('1E4AED62986CD25D', 'Wladimir J. van der Laan <laanwj@protonmail.com>', trusted=False, status='')
18[INFO] GOOD SIGNATURE (untrusted): SigData('BD02942421F4889F', 'Luke Dashjr <luke@dashjr.org>', trusted=False, status='revoked')
19[INFO] GOOD SIGNATURE (untrusted): SigData('0A41BDC3F4FAFF1C', 'Aaron Clauson (sipsorcery) <aaron@sipsorcery.com>', trusted=False, status='')
20[INFO] GOOD SIGNATURE (untrusted): SigData('7E296D555E7F63A7', 'Sjors Provoost <sjors@purpledunes.com>', trusted=False, status='')
21[INFO] GOOD SIGNATURE (untrusted): SigData('A7BEB2621678D37D', 'vertion <vertion@protonmail.com>', trusted=False, status='expired')
22[INFO] GOOD SIGNATURE (untrusted): SigData('099BAD163C70FBFA', 'Will Clark <will8clark@gmail.com>', trusted=False, status='')
23[WARNING] key D7CC770B81FD22A8 for Ben Carman <benthecarman@live.com> is expired
24[WARNING] key A7BEB2621678D37D for vertion <vertion@protonmail.com> is expired
25[INFO] removing *-unsigned binaries (bitcoin-23.0-arm64-apple-darwin-unsigned.dmg, bitcoin-23.0-arm64-apple-darwin-unsigned.tar.gz, bitcoin-23.0-x86_64-apple-darwin-unsigned.dmg, bitcoin-23.0-x86_64-apple-darwin-unsigned.tar.gz, bitcoin-23.0-win64-setup-unsigned.exe, bitcoin-23.0-win64-unsigned.tar.gz) from verification since https://bitcoincore.org does not host *-unsigned binaries
26[INFO] removing *-debug binaries (bitcoin-23.0-aarch64-linux-gnu-debug.tar.gz, bitcoin-23.0-arm-linux-gnueabihf-debug.tar.gz, bitcoin-23.0-powerpc64-linux-gnu-debug.tar.gz, bitcoin-23.0-powerpc64le-linux-gnu-debug.tar.gz, bitcoin-23.0-riscv64-linux-gnu-debug.tar.gz, bitcoin-23.0-x86_64-linux-gnu-debug.tar.gz, bitcoin-23.0-win64-debug.zip) from verification since https://bitcoincore.org does not host *-debug binaries
27[INFO] removing *-codesignatures binaries (bitcoin-23.0-codesignatures-e36a046909ad.tar.gz) from verification since https://bitcoincore.org does not host *-codesignatures binaries
28[INFO] downloading bitcoin-23.0-aarch64-linux-gnu.tar.gz
29 [INFO] downloading bitcoin-23.0-arm-linux-gnueabihf.tar.gz
30[INFO] downloading bitcoin-23.0-arm64-apple-darwin.dmg
31[INFO] downloading bitcoin-23.0-arm64-apple-darwin.tar.gz
32[INFO] downloading bitcoin-23.0.tar.gz
33[INFO] downloading bitcoin-23.0-powerpc64-linux-gnu.tar.gz
34[INFO] downloading bitcoin-23.0-powerpc64le-linux-gnu.tar.gz
35[INFO] downloading bitcoin-23.0-riscv64-linux-gnu.tar.gz
36[INFO] downloading bitcoin-23.0-x86_64-apple-darwin.dmg
37[INFO] downloading bitcoin-23.0-x86_64-apple-darwin.tar.gz
38[INFO] downloading bitcoin-23.0-x86_64-linux-gnu.tar.gz
39[INFO] downloading bitcoin-23.0-win64-setup.exe
40[INFO] downloading bitcoin-23.0-win64.zip
41[INFO] did not clean up /tmp/bitcoin_verify_binaries.bitcoin-core-23.0-x86_64
42VERIFIED: bitcoin-23.0-aarch64-linux-gnu.tar.gz
43VERIFIED: bitcoin-23.0-arm-linux-gnueabihf.tar.gz
44VERIFIED: bitcoin-23.0-arm64-apple-darwin.dmg
45VERIFIED: bitcoin-23.0-arm64-apple-darwin.tar.gz
46VERIFIED: bitcoin-23.0.tar.gz
47VERIFIED: bitcoin-23.0-powerpc64-linux-gnu.tar.gz
48VERIFIED: bitcoin-23.0-powerpc64le-linux-gnu.tar.gz
49VERIFIED: bitcoin-23.0-riscv64-linux-gnu.tar.gz
50VERIFIED: bitcoin-23.0-x86_64-apple-darwin.dmg
51VERIFIED: bitcoin-23.0-x86_64-apple-darwin.tar.gz
52VERIFIED: bitcoin-23.0-x86_64-linux-gnu.tar.gz
53VERIFIED: bitcoin-23.0-win64-setup.exe
54VERIFIED: bitcoin-23.0-win64.zip

TheCharlatan commented at 9:37 am on March 29, 2023: contributor

@TheCharlatan I see it working using e.g. the pub subcommand. You need to choose pub or bin to verify either the publicly-hosted binaries, or bin for a local binary. But you are correct the docs are now outdated…

Mmh, shouldn’t the sample command you posted only have verified x86_64 binaries?

willcl-ark commented at 9:38 am on March 29, 2023: contributor

Yes, there does seem to be quite a few other issues in testing currently. Just wanted to let you know how to get the thing running :)

theuni commented at 8:02 pm on March 30, 2023: member

@TheCharlatan I see it working using e.g. the pub subcommand. You need to choose pub or bin to verify either the publicly-hosted binaries, or bin for a local binary. But you are correct the docs are now outdated…

Mmh, shouldn’t the sample command you posted only have verified x86_64 binaries?

Mmm, yeah, this is awkward. @achow101’s original changes forced the user to specify which binaries should be checked. I requested using the contents of the SHA256SUMS file instead.

The problem with teaching the bin command the version syntax from pub is that that syntax is pretty remote-url centric. So I’m not sure it makes sense to allow the user to use the same type of filter for bin.

Should we just go back to requiring the user to specify the bins? Downloading to a clean dir and using a wildcard should still work for tooling I think. @TheBlueMatt ?

in contrib/verifybinaries/README.md:76 in 7a6e7ffd06 outdated

82 
83 If you do not want to keep the downloaded binaries, specify anything as the second parameter.
84 
85 ```sh
86-./verify.py bitcoin-core-0.13.0 delete
87+./contrib/verifybinaries/verify.py bitcoin-core-22.0 delete

fanquake commented at 11:25 am on March 31, 2023:

From #23020 (review)

Should we just add an explicit --delete argument to the script, rather than “append a random anything”, as was proposed in #26985.

theuni commented at 9:22 pm on April 4, 2023:

Looks like this has been implemented as pub --cleanup. A quick test shows it working as intended. Will update the doc.

in contrib/verifybinaries/README.md:48 in 7a6e7ffd06 outdated

47+Validate releases with default settings:
48+```sh
49+./contrib/verifybinaries/verify.py 22.0
50+./contrib/verifybinaries/verify.py 22.0-rc2
51+./contrib/verifybinaries/verify.py bitcoin-core-23.0
52+./contrib/verifybinaries/verify.py bitcoin-core-23.0-rc1

glozow commented at 10:21 am on April 3, 2023:

nit: it would be nice to have a bin example as well

0./contrib/verifybinaries/verify.py pub bitcoin-core-23.0-rc1
1./contrib/verifybinaries/verify.py bin ~/Downloads/SHA256SUMS ~/Downloads/bitcoin-24.0.1-x86_64-linux-gnu.tar.gz

in contrib/verifybinaries/verify.py:488 in 37c9fb7a59 outdated

547+        if gpg_retval == 1:
548+            log.critical(f"Bad signature (code: {gpg_retval}).")
549+        if gpg_retval == 2:
550+            log.critical(
551+                "gpg error. Do you have the Bitcoin Core binary release "
552+                "signing key installed?")

glozow commented at 10:35 am on April 3, 2023:

nit: This seems like it can be deleted, since 2 is an allowed return code and missing “the Bitcoin Core binary release signing key” doesn’t apply

TheBlueMatt commented at 6:44 pm on April 3, 2023: contributor

Downloading to a clean dir and using a wildcard should still work for tooling I think. @TheBlueMatt ?

Not sure exactly what you mean here - part of the goal is to have tooling to verify all the binaries sitting in a folder? If you can “download” all of them in one go from file:/// I guess that works too?

theuni commented at 9:38 pm on April 4, 2023: member

I believe I’ve addressed the comments here. I’ve chosen to add fresh comments on top rather than squashing to avoid mixing up my changes on top of @jamesob’s/@achow101’s.

The os/arch filters like verify.py 22.0-osx no longer work for me and I’m not quite sure why. Otherwise remote/local verification seem to work ok.

in contrib/verifybinaries/verify.py:290 in da864a554d outdated

302+    success, output = download_with_wget(url, filename)
303+    if not success:
304+        log.error(
305+            f"couldn't fetch file ({url}). "
306+            "Have you specified the version number in the following format?\n"
307+            f"[{VERSIONPREFIX}]{VERSION_FORMAT} "

fanquake commented at 1:32 pm on April 5, 2023:

Can drop VERSIONPREFIX from this output.

in contrib/verifybinaries/verify.py:659 in da864a554d outdated

747+        help=(
748+            'The minimum number of good signatures to require successful termination.'),
749+    )
750+    parser.add_argument(
751+        '--keyserver', action='store', nargs='?',
752+        default=os.environ.get('BINVERIFY_KEYSERVER', 'hkp://keyserver.ubuntu.com'),

fanquake commented at 1:35 pm on April 5, 2023:

note that the keyserver we currently “recommend” is hkps://keys.openpgp.org. See #22688, #23466.

in contrib/verifybinaries/README.md:59 in da864a554d outdated

61+
62+Don't trust builder-keys by default, and rely only on local GPG state and manually
63+specified keys, while requiring a threshold of at least 10 trusted signatures:
64+```sh
65+./contrib/verifybinaries/verify.py pub 22.0-x86 \
66+    --no-trust-builder-keys \

fanquake commented at 1:40 pm on April 5, 2023:

--no-trust-builder-keys is no-longer a thing? Arguments here need re-ordering as well.

in contrib/verifybinaries/README.md:61 in da864a554d outdated

63+specified keys, while requiring a threshold of at least 10 trusted signatures:
64+```sh
65+./contrib/verifybinaries/verify.py pub 22.0-x86 \
66+    --no-trust-builder-keys \
67+    --trusted-keys 74E2DEF5D77260B98BC19438099BAD163C70FBFA,9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C \
68+    --min-trusted-sigs 10

fanquake commented at 1:42 pm on April 5, 2023:

0    --min-good-sigs 10

fanquake commented at 1:43 pm on April 5, 2023: member

Did some basic testing that this “works”. I wouldn’t like to hold merging this up past a good-enough state, so happy for comments/nits/follows to be addressed soon after.

theuni force-pushed on Apr 5, 2023

theuni commented at 3:59 pm on April 5, 2023: member

Thanks for the review @fanquake, comments addressed.

LMK if you’d like me to squash. I could either squash mine into the original authors’ or mine all into one “fixup” on top of theirs.

Edit: @glozow thanks for the review as well!

fanquake commented at 4:07 pm on April 5, 2023: member

@theuni I don’t particularly mind. I think the commits here look ok as-is. If you want to squash them all down into a fixup, that’s probably also ok, but going to be a bit messy. Squashing all the changes back into the original commits is probably going to be more messy again.

in contrib/verifybinaries/README.md:52 in 96344222f3 outdated

54+```
55+
56+Get JSON output and don't prompt for user input (no auto key import):
57+
58+```sh
59+./contrib/verifybinaries/verify.py pub 22.0-x86 --json

dergoegge commented at 9:03 am on April 6, 2023:

0./contrib/verifybinaries/verify.py --json pub 22.0-x86

otherwise i get this:

0$ ./contrib/verifybinaries/verify.py pub 22.0-x86 --json
1usage: verify.py [-h] [-v] [-q] [--import-keys] [--min-good-sigs [MIN_GOOD_SIGS]] [--keyserver [KEYSERVER]] [--trusted-keys [TRUSTED_KEYS]] [--json] {pub,bin} ...
2verify.py: error: unrecognized arguments: --json

josibake commented at 9:58 am on April 6, 2023:

running ./verify.py --json pub 22.0-x86 downloads everything

theuni commented at 7:18 pm on April 6, 2023:

Thanks. I’ll squashed this into another commit.

in contrib/verifybinaries/README.md:63 in 96344222f3 outdated

65+./contrib/verifybinaries/verify.py \
66+    --trusted-keys 74E2DEF5D77260B98BC19438099BAD163C70FBFA,9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C \
67+    --min-good-sigs 10 pub 22.0-x86
68 ```
69 
70 If you only want to download the binaries of certain platform, add the corresponding suffix, e.g.:

josibake commented at 9:33 am on April 6, 2023:

nit:

0If you only want to download the binaries for a certain platform, add the corresponding suffix, e.g.:

fanquake commented at 10:50 am on April 9, 2023:

See 27440.

in contrib/verifybinaries/test.py:15 in 96344222f3 outdated

10+    """Tests ordered roughly from faster to slower."""
11+    expect_code(run_verify("", "pub", '0.32'), 4, "Nonexistent version should fail")
12+    expect_code(run_verify("", "pub", '0.32.awefa.12f9h'), 11, "Malformed version should fail")
13+    expect_code(run_verify('--min-good-sigs 20', "pub", "22.0"), 9, "--min-good-sigs 20 should fail")
14+
15+    print("- testing multisig verification (22.0)", flush=True)

josibake commented at 9:36 am on April 6, 2023:

nit: would avoid using the term multisig because of its meaning in other bitcoin contexts

0    print("- testing verification (22.0)", flush=True)

fanquake commented at 10:50 am on April 9, 2023:

done in 27440

in contrib/verifybinaries/README.md:20 in 96344222f3 outdated

19 
20-The script returns 0 if everything passes the checks. It returns 1 if either the signature check or the hash check doesn't pass. If an error occurs the return value is 2.
21+You can obtain these keys by
22+  - through a browser using a key server (e.g. keyserver.ubuntu.com),
23+  - manually using the `gpg --keyserver <url> --recv-keys <key>` command, or
24+  - you can run the packaged `verifybinaries.py ... --import-keys` script to

josibake commented at 9:39 am on April 6, 2023:

0  - you can run the packaged `verify.py ... --import-keys` script to
1- ```

in contrib/verifybinaries/README.md:46 in 96344222f3 outdated

48 ```sh
49-./verify.py bitcoin-core-0.11.2
50-./verify.py bitcoin-core-0.12.0
51-./verify.py bitcoin-core-0.13.0-rc3
52+./contrib/verifybinaries/verify.py pub 22.0
53+./contrib/verifybinaries/verify.py pub 22.0-rc2

josibake commented at 9:48 am on April 6, 2023:

kinda weird that the scripts are relative to the root, and not the README.md?

in contrib/verifybinaries/README.md:60 in 96344222f3 outdated

62+Rely only on local GPG state and manually specified keys, while requiring a
63+threshold of at least 10 trusted signatures:
64+```sh
65+./contrib/verifybinaries/verify.py \
66+    --trusted-keys 74E2DEF5D77260B98BC19438099BAD163C70FBFA,9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C \
67+    --min-good-sigs 10 pub 22.0-x86

josibake commented at 9:54 am on April 6, 2023:

when I ran this command, it still downloaded and verified everything (as opposed to just -x86)

josibake commented at 10:02 am on April 6, 2023: member

Concept ACK

Downloading for a specific platform doesn’t work, so I’d suggest we either fix it before merging or remove it from the docs. I also left a few other nits but they aren’t important.

in contrib/verifybinaries/verify.py:514 in 96344222f3 outdated

580+        if sigs_status == ReturnCode.INTEGRITY_FAILURE:
581+            cleanup()
582+        return sigs_status
583+
584+    # Extract hashes and filenames
585+    hashes_to_verify = parse_sums_file(SUMS_FILENAME, os_filter)

TheCharlatan commented at 10:29 am on April 6, 2023:

0    hashes_to_verify = parse_sums_file(SUMS_FILENAME, [os_filter])

TheCharlatan commented at 10:30 am on April 6, 2023:

parse_sums_file expects a list of strings. This should fix the download selection filter.

josibake commented at 11:20 am on April 6, 2023:

confirmed this does fix the download selection filter

theuni commented at 7:17 pm on April 6, 2023:

Thanks!

TheCharlatan changes_requested

TheCharlatan commented at 10:35 am on April 6, 2023: contributor

Nit: After discovering #27358 (review) I ran mypy verify.py and:

0verify.py:129: error: Module has no attribute "HTTPError"
1verify.py:588: error: Argument 1 to "verify_shasums_signature" has incompatible type "Path"; expected "str"
2Found 2 errors in 1 file (checked 1 source file)

verifybinaries: move all current examples to the pub subcommand c44323a717

verifybinaries: remove awkward bitcoin-core prefix handling 6d11830265

verifybinaries: README cleanups

- Use correct name for verify.py
- Add usage examples for verifybinaries bin
- Document proper use of new cleanup option
- Fixup broken example

46c73b57c6

verifybinaries: Don't delete shasums file

It may be useful for local validation.

5668c6473a

verifybinaries: remove unreachable code 4e0396835d

verifybinaries: use recommended keyserver by default 8cdadd1729

verifybinaries: fix OS download filter

Co-authored-by: Reproducibility Matters <seb.kung@gmail.com>

4b23b488d2

verifybinaries: catch the correct exception 8a65e5145c

verifybinaries: fix argument type error pointed out by mypy 754fb6bb81

in contrib/verifybinaries/verify.py:533 in 96344222f3 outdated

602 
603     # download binaries
604     for _, binary_filename in hashes_to_verify:
605-        print(f"Downloading {binary_filename}")
606-        download_with_wget(HOST1 + remote_dir + binary_filename)
607+        log.info(f"downloading {binary_filename}")

josibake commented at 11:24 am on April 6, 2023:

nit: it would be nice to have it also print out the destination, e.g “downloading {binary_filename} to {destination}”

fanquake commented at 10:50 am on April 9, 2023:

added to 27440.

theuni force-pushed on Apr 6, 2023

theuni commented at 8:02 pm on April 6, 2023: member

Thanks for the review @TheCharlatan and @josibake. I’ve addressed most of the feedback with the exception of a few nits as I don’t want this to drag out forever.

I squashed some of the readme changes to keep the number of commits down. The diff from the previous changes can be seen with: git diff 96344222f3..754fb6bb81 .

josibake commented at 9:31 pm on April 6, 2023: member

ACK https://github.com/bitcoin/bitcoin/pull/27358/commits/754fb6bb8125317575edec7c20b5617ad27a9bdd

fanquake commented at 7:26 am on April 7, 2023: member

We can have a followup, to address any further issues/improvements.

fanquake merged this on Apr 7, 2023

fanquake closed this on Apr 7, 2023

Sjors commented at 11:38 am on April 7, 2023: member

Followup suggestions:

allow user to specify the domain(s), e.g. --domain=bitcoincore.org so you don’t get warnings about bitcoin.org, which only has up to version 22.0 at the moment. Conversely, it will make a future domain evacuation safer.
“osx” in the documentation example should be “macos” (but it doesn’t work either way as @theuni found)
“The os/arch filters like verify.py 22.0-osx no longer work for me and I’m not quite sure why.” - would be nice to restore this, or just file a Github issue and remove it from the docs

theuni commented at 1:53 pm on April 7, 2023: member

@Sjors That filter problem should’ve been fixed by https://github.com/bitcoin/bitcoin/pull/27358/commits/4b23b488d2c5662215d78e4963ef5a2b86b4e25b, my comment was from before then. Is what’s now in master still broken for you?

Edit: Also, agreed on your first suggestion.

Sjors commented at 2:39 pm on April 7, 2023: member

@theuni yes. On Intel macOS 13.3:

0 % ./contrib/verifybinaries/verify.py pub 24.0.1-osx 
1…
2[ERROR] no files matched the platform specified

Ditto for 24.0.1-macos

Ah, -darwin works, so it’s just a matter of updating the doc.

theuni commented at 3:28 pm on April 7, 2023: member

@Sjors the filter works almost like a grep, so it depends on the release. Starting with v23 the apple binaries were renamed.

sidhujag referenced this in commit 79968d1ebc on Apr 8, 2023

fanquake referenced this in commit c18f8b3b22 on Apr 9, 2023

fanquake referenced this in commit bfb0f4b3e0 on Apr 9, 2023

fanquake commented at 10:51 am on April 9, 2023: member

Covered most of the followup requests in #27440.

fanquake referenced this in commit e2e5683afe on Apr 9, 2023

achow101 referenced this in commit 9270a56662 on Apr 11, 2023

sidhujag referenced this in commit e4cb1a7d09 on Apr 11, 2023

RandyMcMillan referenced this in commit 39751d2ee5 on May 27, 2023

bitcoin locked this on Apr 8, 2024

contrib: allow multi-sig binary verification v2 #27358

Reviews

Conflicts