TransWikia.com

Any idea why Bitcoin Core signature is untrusted?

Bitcoin Asked by Dennis Concepción Martín on October 24, 2021

It’s suppose to be a trusted signature, right?. I’m downloading Bitcoin Core from bitcoin.org

gpg --import laanwj-releases.asc
gpg: key 90C8019E36C2E964: 51 firmas no comprobadas por falta de claves
gpg: clave 90C8019E36C2E964: "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <[email protected]>" sin cambios
gpg: Cantidad total procesada: 1
gpg:              sin cambios: 1

sha256sum --check SHA256SUMS.asc
sha256sum: bitcoin-0.20.0-aarch64-linux-gnu.tar.gz: No such file or directory
bitcoin-0.20.0-aarch64-linux-gnu.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0-arm-linux-gnueabihf.tar.gz: No such file or directory
bitcoin-0.20.0-arm-linux-gnueabihf.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0-osx64.tar.gz: No such file or directory
bitcoin-0.20.0-osx64.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0-osx.dmg: No such file or directory
bitcoin-0.20.0-osx.dmg: FAILED open or read
sha256sum: bitcoin-0.20.0-riscv64-linux-gnu.tar.gz: No such file or directory
bitcoin-0.20.0-riscv64-linux-gnu.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0.tar.gz: No such file or directory
bitcoin-0.20.0.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0-win64-setup.exe: No such file or directory
bitcoin-0.20.0-win64-setup.exe: FAILED open or read
sha256sum: bitcoin-0.20.0-win64.zip: No such file or directory
bitcoin-0.20.0-win64.zip: FAILED open or read
sha256sum: bitcoin-0.20.0-x86_64-linux-gnu.tar.gz: No such file or directory
bitcoin-0.20.0-x86_64-linux-gnu.tar.gz: FAILED open or read
sha256sum: WARNING: 20 lines are improperly formatted
sha256sum: WARNING: 9 listed files could not be read

gpg --verify SHA256SUMS.asc
gpg: Firmado el mié  3 jun 10:59:52 2020 WEST
gpg:                usando RSA clave 90C8019E36C2E964
gpg: Firma correcta de "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <[email protected]>" [desconocido]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964
bitcoin corebitcoin core developmentsignature

One Answer

When you import a key, you can mark it as trusted. Usually, you would do this after meeting the owner of a key and verifying that they actually control the key, e.g. at a CryptoParty. Since it is infeasible for each user to verify every other user in person, PGP/GPG leverages a "web-of-trust" to establish connections between keys. E.g. Alice has met Bob and trusts Bob's key. Bob has signed Carol's key, so Alice transitively trusts that Carol's key to some degree. There are some issues with the reliability and assumptions of this approach, but that's how it works.

Anyway, what GPG is telling you here is that the package you have downloaded was indeed signed by the key you checked against, but it warns you that you have not verified the authenticity of the signing key.

Answered by Murch on October 24, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP