bitcoin/contrib/verifybinaries/README.md

### Verify Binaries

#### Preparation

As of Bitcoin Core v22.0, releases are signed by a number of public keys on the basis
of the [guix.sigs repository](https://github.com/bitcoin-core/guix.sigs/). When
verifying binary downloads, you (the end user) decide which of these public keys you
trust and then use that trust model to evaluate the signature on a file that contains
hashes of the release binaries. The downloaded binaries are then hashed and compared to
the signed checksum file.

First, you have to figure out which public keys to recognize. Browse the [list of frequent
builder-keys](https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys) and
decide which of these keys you would like to trust. For each key you want to trust, you
must obtain that key for your local GPG installation.

You can obtain these keys by
  - through a browser using a key server (e.g. keyserver.ubuntu.com),
  - manually using the `gpg --keyserver <url> --recv-keys <key>` command, or
  - you can run the packaged `verifybinaries.py ... --import-keys` script to
    have it automatically retrieve unrecognized keys.

#### Usage

This script attempts to download the checksum file (`SHA256SUMS`) and corresponding
signature file `SHA256SUMS.asc` from https://bitcoincore.org and https://bitcoin.org.

It first checks if the checksum file is valid based upon a plurality of signatures, and
then downloads the release files specified in the checksum file, and checks if the
hashes of the release files are as expected.

If we encounter pubkeys in the signature file that we do not recognize, the script
can prompt the user as to whether they'd like to download the pubkeys. To enable
this behavior, use the `--import-keys` flag.

The script returns 0 if everything passes the checks. It returns 1 if either the
signature check or the hash check doesn't pass. An exit code of >2 indicates an error.

See the `Config` object for various options.

#### Examples

Validate releases with default settings:
```sh
./contrib/verifybinaries/verify.py 22.0
./contrib/verifybinaries/verify.py 22.0-rc2
./contrib/verifybinaries/verify.py bitcoin-core-23.0
./contrib/verifybinaries/verify.py bitcoin-core-23.0-rc1
```

Get JSON output and don't prompt for user input (no auto key import):

```sh
./contrib/verifybinaries/verify.py 22.0-x86 --json
```

Don't trust builder-keys by default, and rely only on local GPG state and manually
specified keys, while requiring a threshold of at least 10 trusted signatures:
```sh
./contrib/verifybinaries/verify.py 22.0-x86 \
    --no-trust-builder-keys \
    --trusted-keys 74E2DEF5D77260B98BC19438099BAD163C70FBFA,9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C \
    --min-trusted-sigs 10
```

If you only want to download the binaries of certain platform, add the corresponding suffix, e.g.:

```sh
./contrib/verifybinaries/verify.py bitcoin-core-22.0-osx
./contrib/verifybinaries/verify.py bitcoin-core-22.0-rc2-win64
```

If you do not want to keep the downloaded binaries, specify anything as the second parameter.

```sh
./contrib/verifybinaries/verify.py bitcoin-core-22.0 delete
```
[contrib] Remove reference to sf and add doc to verify.sh 2016-04-15 07:18:12 -03:00			`### Verify Binaries`
[contrib] verifybinaries: Mention mandatory preparation step 2016-08-21 16:58:29 -03:00
contrib: verifybinaries: allow multisig verification This commit adds the functionality necessary to transition from doing binary verification on the basis of a single signature to requiring a minimum threshold of trusted signatures. A signature can appear as "good" from GPG output, but it may not come from an identity the user trusts. We call these "good, untrusted" signatures. We report bad signatures but do not necessarily fail in their presence, since a bad signature might coexist with enough good, trusted signatures to fulfill our criteria. If "--import-keys" is enabled, we will prompt the user to optionally try to retrieve unknown keys. Marking them as trusted locally is a WIP, but keys which are retrieved successfully and appear on the builder-keys list will immediately count as being useful towards fulfilling the threshold. Logging is improved and an option to output JSON that summarizes the whole sum signature and binary verification processes has been added. Co-authored-by: Russ Yanofsky <russ@yanofsky.org> Co-authored-by: willcl-ark <will8clark@gmail.com> 2021-09-16 19:33:20 -03:00			`#### Preparation`
[contrib] verifybinaries: Mention mandatory preparation step 2016-08-21 16:58:29 -03:00
contrib: verifybinaries: allow multisig verification This commit adds the functionality necessary to transition from doing binary verification on the basis of a single signature to requiring a minimum threshold of trusted signatures. A signature can appear as "good" from GPG output, but it may not come from an identity the user trusts. We call these "good, untrusted" signatures. We report bad signatures but do not necessarily fail in their presence, since a bad signature might coexist with enough good, trusted signatures to fulfill our criteria. If "--import-keys" is enabled, we will prompt the user to optionally try to retrieve unknown keys. Marking them as trusted locally is a WIP, but keys which are retrieved successfully and appear on the builder-keys list will immediately count as being useful towards fulfilling the threshold. Logging is improved and an option to output JSON that summarizes the whole sum signature and binary verification processes has been added. Co-authored-by: Russ Yanofsky <russ@yanofsky.org> Co-authored-by: willcl-ark <will8clark@gmail.com> 2021-09-16 19:33:20 -03:00			`As of Bitcoin Core v22.0, releases are signed by a number of public keys on the basis`
			`of the [guix.sigs repository](https://github.com/bitcoin-core/guix.sigs/). When`
			`verifying binary downloads, you (the end user) decide which of these public keys you`
			`trust and then use that trust model to evaluate the signature on a file that contains`
			`hashes of the release binaries. The downloaded binaries are then hashed and compared to`
			`the signed checksum file.`
Finished /Contrib Index. Standardized READMEs. File and Link Fix. 2013-10-16 00:14:30 -03:00
contrib: verifybinaries: allow multisig verification This commit adds the functionality necessary to transition from doing binary verification on the basis of a single signature to requiring a minimum threshold of trusted signatures. A signature can appear as "good" from GPG output, but it may not come from an identity the user trusts. We call these "good, untrusted" signatures. We report bad signatures but do not necessarily fail in their presence, since a bad signature might coexist with enough good, trusted signatures to fulfill our criteria. If "--import-keys" is enabled, we will prompt the user to optionally try to retrieve unknown keys. Marking them as trusted locally is a WIP, but keys which are retrieved successfully and appear on the builder-keys list will immediately count as being useful towards fulfilling the threshold. Logging is improved and an option to output JSON that summarizes the whole sum signature and binary verification processes has been added. Co-authored-by: Russ Yanofsky <russ@yanofsky.org> Co-authored-by: willcl-ark <will8clark@gmail.com> 2021-09-16 19:33:20 -03:00			`First, you have to figure out which public keys to recognize. Browse the [list of frequent`
			`builder-keys](https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys) and`
			`decide which of these keys you would like to trust. For each key you want to trust, you`
			`must obtain that key for your local GPG installation.`
Prettify some /Contrib READMEs SYN Remove Dead Readme-Qt Links. 2013-10-21 21:00:10 -03:00
contrib: verifybinaries: allow multisig verification This commit adds the functionality necessary to transition from doing binary verification on the basis of a single signature to requiring a minimum threshold of trusted signatures. A signature can appear as "good" from GPG output, but it may not come from an identity the user trusts. We call these "good, untrusted" signatures. We report bad signatures but do not necessarily fail in their presence, since a bad signature might coexist with enough good, trusted signatures to fulfill our criteria. If "--import-keys" is enabled, we will prompt the user to optionally try to retrieve unknown keys. Marking them as trusted locally is a WIP, but keys which are retrieved successfully and appear on the builder-keys list will immediately count as being useful towards fulfilling the threshold. Logging is improved and an option to output JSON that summarizes the whole sum signature and binary verification processes has been added. Co-authored-by: Russ Yanofsky <russ@yanofsky.org> Co-authored-by: willcl-ark <will8clark@gmail.com> 2021-09-16 19:33:20 -03:00			`You can obtain these keys by`
			`- through a browser using a key server (e.g. keyserver.ubuntu.com),`
			- manually using the `gpg --keyserver <url> --recv-keys <key>` command, or
			- you can run the packaged `verifybinaries.py ... --import-keys` script to
			`have it automatically retrieve unrecognized keys.`
[contrib] Remove reference to sf and add doc to verify.sh 2016-04-15 07:18:12 -03:00
contrib: verifybinaries: allow multisig verification This commit adds the functionality necessary to transition from doing binary verification on the basis of a single signature to requiring a minimum threshold of trusted signatures. A signature can appear as "good" from GPG output, but it may not come from an identity the user trusts. We call these "good, untrusted" signatures. We report bad signatures but do not necessarily fail in their presence, since a bad signature might coexist with enough good, trusted signatures to fulfill our criteria. If "--import-keys" is enabled, we will prompt the user to optionally try to retrieve unknown keys. Marking them as trusted locally is a WIP, but keys which are retrieved successfully and appear on the builder-keys list will immediately count as being useful towards fulfilling the threshold. Logging is improved and an option to output JSON that summarizes the whole sum signature and binary verification processes has been added. Co-authored-by: Russ Yanofsky <russ@yanofsky.org> Co-authored-by: willcl-ark <will8clark@gmail.com> 2021-09-16 19:33:20 -03:00			`#### Usage`
[contrib] Remove reference to sf and add doc to verify.sh 2016-04-15 07:18:12 -03:00
contrib: verifybinaries: allow multisig verification This commit adds the functionality necessary to transition from doing binary verification on the basis of a single signature to requiring a minimum threshold of trusted signatures. A signature can appear as "good" from GPG output, but it may not come from an identity the user trusts. We call these "good, untrusted" signatures. We report bad signatures but do not necessarily fail in their presence, since a bad signature might coexist with enough good, trusted signatures to fulfill our criteria. If "--import-keys" is enabled, we will prompt the user to optionally try to retrieve unknown keys. Marking them as trusted locally is a WIP, but keys which are retrieved successfully and appear on the builder-keys list will immediately count as being useful towards fulfilling the threshold. Logging is improved and an option to output JSON that summarizes the whole sum signature and binary verification processes has been added. Co-authored-by: Russ Yanofsky <russ@yanofsky.org> Co-authored-by: willcl-ark <will8clark@gmail.com> 2021-09-16 19:33:20 -03:00			This script attempts to download the checksum file (`SHA256SUMS`) and corresponding
			signature file `SHA256SUMS.asc` from https://bitcoincore.org and https://bitcoin.org.

			`It first checks if the checksum file is valid based upon a plurality of signatures, and`
			`then downloads the release files specified in the checksum file, and checks if the`
			`hashes of the release files are as expected.`

			`If we encounter pubkeys in the signature file that we do not recognize, the script`
			`can prompt the user as to whether they'd like to download the pubkeys. To enable`
			this behavior, use the `--import-keys` flag.

			`The script returns 0 if everything passes the checks. It returns 1 if either the`
			`signature check or the hash check doesn't pass. An exit code of >2 indicates an error.`

			See the `Config` object for various options.

			`#### Examples`

			`Validate releases with default settings:`
			```sh
			`./contrib/verifybinaries/verify.py 22.0`
			`./contrib/verifybinaries/verify.py 22.0-rc2`
			`./contrib/verifybinaries/verify.py bitcoin-core-23.0`
			`./contrib/verifybinaries/verify.py bitcoin-core-23.0-rc1`
			```

			`Get JSON output and don't prompt for user input (no auto key import):`

			```sh
			`./contrib/verifybinaries/verify.py 22.0-x86 --json`
			```

			`Don't trust builder-keys by default, and rely only on local GPG state and manually`
			`specified keys, while requiring a threshold of at least 10 trusted signatures:`
[contrib] Remove reference to sf and add doc to verify.sh 2016-04-15 07:18:12 -03:00			```sh
contrib: verifybinaries: allow multisig verification This commit adds the functionality necessary to transition from doing binary verification on the basis of a single signature to requiring a minimum threshold of trusted signatures. A signature can appear as "good" from GPG output, but it may not come from an identity the user trusts. We call these "good, untrusted" signatures. We report bad signatures but do not necessarily fail in their presence, since a bad signature might coexist with enough good, trusted signatures to fulfill our criteria. If "--import-keys" is enabled, we will prompt the user to optionally try to retrieve unknown keys. Marking them as trusted locally is a WIP, but keys which are retrieved successfully and appear on the builder-keys list will immediately count as being useful towards fulfilling the threshold. Logging is improved and an option to output JSON that summarizes the whole sum signature and binary verification processes has been added. Co-authored-by: Russ Yanofsky <russ@yanofsky.org> Co-authored-by: willcl-ark <will8clark@gmail.com> 2021-09-16 19:33:20 -03:00			`./contrib/verifybinaries/verify.py 22.0-x86 \`
			`--no-trust-builder-keys \`
			`--trusted-keys 74E2DEF5D77260B98BC19438099BAD163C70FBFA,9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C \`
			`--min-trusted-sigs 10`
[contrib] Remove reference to sf and add doc to verify.sh 2016-04-15 07:18:12 -03:00			```
[contrib] verifybinaries: Keep downloads by default 2016-08-21 16:37:21 -03:00
contrib/verifybinaries: allow filtering by platform Downloading all the binaries of all platforms can take quite long, especially for slow connections, which may deter people from using this script and, therefore, to disregard security altogether. This change introduces the new possibility of specifying the platform along with the version number, so that only the binaries that contain the platform name are downloaded. 2017-04-25 06:40:09 -03:00			`If you only want to download the binaries of certain platform, add the corresponding suffix, e.g.:`

			```sh
contrib: verifybinaries: allow multisig verification This commit adds the functionality necessary to transition from doing binary verification on the basis of a single signature to requiring a minimum threshold of trusted signatures. A signature can appear as "good" from GPG output, but it may not come from an identity the user trusts. We call these "good, untrusted" signatures. We report bad signatures but do not necessarily fail in their presence, since a bad signature might coexist with enough good, trusted signatures to fulfill our criteria. If "--import-keys" is enabled, we will prompt the user to optionally try to retrieve unknown keys. Marking them as trusted locally is a WIP, but keys which are retrieved successfully and appear on the builder-keys list will immediately count as being useful towards fulfilling the threshold. Logging is improved and an option to output JSON that summarizes the whole sum signature and binary verification processes has been added. Co-authored-by: Russ Yanofsky <russ@yanofsky.org> Co-authored-by: willcl-ark <will8clark@gmail.com> 2021-09-16 19:33:20 -03:00			`./contrib/verifybinaries/verify.py bitcoin-core-22.0-osx`
			`./contrib/verifybinaries/verify.py bitcoin-core-22.0-rc2-win64`
contrib/verifybinaries: allow filtering by platform Downloading all the binaries of all platforms can take quite long, especially for slow connections, which may deter people from using this script and, therefore, to disregard security altogether. This change introduces the new possibility of specifying the platform along with the version number, so that only the binaries that contain the platform name are downloaded. 2017-04-25 06:40:09 -03:00			```

[contrib] verifybinaries: Keep downloads by default 2016-08-21 16:37:21 -03:00			`If you do not want to keep the downloaded binaries, specify anything as the second parameter.`

			```sh
contrib: verifybinaries: allow multisig verification This commit adds the functionality necessary to transition from doing binary verification on the basis of a single signature to requiring a minimum threshold of trusted signatures. A signature can appear as "good" from GPG output, but it may not come from an identity the user trusts. We call these "good, untrusted" signatures. We report bad signatures but do not necessarily fail in their presence, since a bad signature might coexist with enough good, trusted signatures to fulfill our criteria. If "--import-keys" is enabled, we will prompt the user to optionally try to retrieve unknown keys. Marking them as trusted locally is a WIP, but keys which are retrieved successfully and appear on the builder-keys list will immediately count as being useful towards fulfilling the threshold. Logging is improved and an option to output JSON that summarizes the whole sum signature and binary verification processes has been added. Co-authored-by: Russ Yanofsky <russ@yanofsky.org> Co-authored-by: willcl-ark <will8clark@gmail.com> 2021-09-16 19:33:20 -03:00			`./contrib/verifybinaries/verify.py bitcoin-core-22.0 delete`
[contrib] verifybinaries: Keep downloads by default 2016-08-21 16:37:21 -03:00			```