Include release gpg key in git repo, signed by a number of core-devs #8576

issue EagleTM opened this issue on August 24, 2016
  1. EagleTM commented at 10:37 AM on August 24, 2016: none

    The current gpg release key used for signing binaries and SHA256SUM is commonly (bitcoin.org for example) referenced to be legit because of an announcement on the bitcoin-dev mailinglist: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009045.html

    The message on bitcoin-dev cannot be verified easily because the pipermail web version mangled laanwj@gmail.com to laanwj at gmail.com which is not easy to know and fix for anyone trying to verify.

    I'd suggest to (because that's where I went to look) a) include the release-key in the git repo of bitcoin/bitcoin in contrib and to include a version that is signed by other core devs like https://pgp.mit.edu/pks/lookup?op=vindex&search=0x90C8019E36C2E964 or https://bitcoin.org/laanwj-releases.asc b) avoid linking to https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009045.html or at least explaining how to verify the message there by stating it needs to be manually fixed to verify (again bitcoin.org not in the power of bitcoin-core itself)

    Edit: https://bitcoin.org/laanwj-releases.asc is in fact signed by 0x74810B012346C9A6 so that's good, could possible use more sigs.

  2. MarcoFalke commented at 10:57 AM on August 24, 2016: member

    @EagleTM I am pretty sure the key is signed. Can you post the result of

    $ gpg  --check-sig "Bitcoin Core binary release signing key"
  3. EagleTM commented at 11:03 AM on August 24, 2016: none

    You're right it's signed - gmaxwell also pointed this out on IRC and I edited the original issue accordingly

    $ gpg --check-sig "Bitcoin Core binary release signing key" pub 4096R/36C2E964 2015-06-24 [expires: 2017-02-13] uid Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com> sig!3 36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>

    Edit: This (and above) is from a fresh keyring and trustdb just to make sure and relates to https://bitcoin.org/laanwj-releases.asc $ gpg --list-sigs "Bitcoin Core binary release signing key" pub 4096R/36C2E964 2015-06-24 [expires: 2017-02-13] uid Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com> sig 3 36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com> sig 2346C9A6 2015-06-24 [User ID not found]

  4. tigusoft-vm commented at 2:22 PM on August 24, 2016: none

    Perhaps we can add to the bitcoin.org website summary how to move to new key in most secure way?

    We've written one: tl;dr first, then details. I hope it covers all bases. Be free to edit of course.

    https://github.com/tigusoft-vm/meshnetpl-users/blob/master/trusting-gpg-keys-example-bitcoin.txt

  5. fanquake added the label Docs and Output on Nov 6, 2016
  6. laanwj commented at 9:39 AM on January 26, 2017: member

    You should not check my mail message, but that my signature is on the key, with the command-line @MarcoFalke gives.

    I don't think this is worth keeping open as an issue otherwise.

  7. laanwj closed this on Jan 26, 2017
  8. MarcoFalke locked this on Sep 8, 2021
Contributors
EagleTMMarcoFalketigusoft-vmlaanwj
Labels
Docs
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-20 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me