Verify Bitcoin client download with gpg

This guide will walk you through verifying the bitcoin client binaries after downloading them from http://bitcoin.org.

At a high level, you will download the gzipped binaries and a checksum file. You confirm that the checksum file is the legitimate checksum by verifying it was properly signed by the lead Bitcoin developer.

Once the checksum file is verified, you run a checksum on the gzipped file and compare it to the checksum in the checksum file.

Pre-Req

If you haven't imported Gavin's gpg key into your system, you will first need to do that.

wget http://bitcoin.org/gavinandresen.asc  
gpg import gavinadresen.asc  

Download gzip and checksum

Download the latest client binaries and the checksum file from the Bitcoin project on sourceforge. This example shows version 0.8.6.

wget http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.6/bitcoin-0.8.6-linux.tar.gz  
wget http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.6/SHA256SUMS.asc  

Verify checksum file

You will now verify that the checksum file you downloaded was signed by the Bitcoin lead developer and can be trusted.

gpg --verify SHA256SUM.asc  

Should output something like....

gpg: Signature made Mon 09 Dec 2013 01:14:17 PM PST using RSA key ID 7BF6E212  
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"  
gpg: WARNING: This key is not certified with a trusted signature!  
gpg:          There is no indication that the signature belongs to the owner.  
Primary key fingerprint: 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1  
     Subkey fingerprint: 3D22 F497 DEAE D078 18A2  219A 1B7B FB45 7BF6 E212

Even though it generates a warning, you can verify the key fingerprint is correct agains Gavin's known key fingerprint:

2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1  

Verify gzipped file

You will run sha256sum on the gzipped file and compare that output to the contents of the SHA256SUM.asc file:

grep linux SHA256SUM.asc; sha256sum bitcoin-0.8.6-linux.tar.gz  

Which outputs two matching rows... signifying that the checksum of the gzipped file matches the supplied checksum in the .asc file:

73495de53d1a30676884961e39ff46c3851ff770eeaa767331d065ff0ce8dd0c  bitcoin-0.8.6-linux.tar.gz  
73495de53d1a30676884961e39ff46c3851ff770eeaa767331d065ff0ce8dd0c  bitcoin-0.8.6-linux.tar.gz

Congrats you should have a valid Bitcoin client.

comments powered by Disqus