AnswerBun.com

Any idea why Bitcoin Core signature is untrusted?

Bitcoin Asked by Dennis Concepción Martín on October 24, 2021

It’s suppose to be a trusted signature, right?. I’m downloading Bitcoin Core from bitcoin.org

gpg --import laanwj-releases.asc
gpg: key 90C8019E36C2E964: 51 firmas no comprobadas por falta de claves
gpg: clave 90C8019E36C2E964: "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <[email protected]>" sin cambios
gpg: Cantidad total procesada: 1
gpg:              sin cambios: 1

sha256sum --check SHA256SUMS.asc
sha256sum: bitcoin-0.20.0-aarch64-linux-gnu.tar.gz: No such file or directory
bitcoin-0.20.0-aarch64-linux-gnu.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0-arm-linux-gnueabihf.tar.gz: No such file or directory
bitcoin-0.20.0-arm-linux-gnueabihf.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0-osx64.tar.gz: No such file or directory
bitcoin-0.20.0-osx64.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0-osx.dmg: No such file or directory
bitcoin-0.20.0-osx.dmg: FAILED open or read
sha256sum: bitcoin-0.20.0-riscv64-linux-gnu.tar.gz: No such file or directory
bitcoin-0.20.0-riscv64-linux-gnu.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0.tar.gz: No such file or directory
bitcoin-0.20.0.tar.gz: FAILED open or read
sha256sum: bitcoin-0.20.0-win64-setup.exe: No such file or directory
bitcoin-0.20.0-win64-setup.exe: FAILED open or read
sha256sum: bitcoin-0.20.0-win64.zip: No such file or directory
bitcoin-0.20.0-win64.zip: FAILED open or read
sha256sum: bitcoin-0.20.0-x86_64-linux-gnu.tar.gz: No such file or directory
bitcoin-0.20.0-x86_64-linux-gnu.tar.gz: FAILED open or read
sha256sum: WARNING: 20 lines are improperly formatted
sha256sum: WARNING: 9 listed files could not be read

gpg --verify SHA256SUMS.asc
gpg: Firmado el mié  3 jun 10:59:52 2020 WEST
gpg:                usando RSA clave 90C8019E36C2E964
gpg: Firma correcta de "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <[email protected]>" [desconocido]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

One Answer

When you import a key, you can mark it as trusted. Usually, you would do this after meeting the owner of a key and verifying that they actually control the key, e.g. at a CryptoParty. Since it is infeasible for each user to verify every other user in person, PGP/GPG leverages a "web-of-trust" to establish connections between keys. E.g. Alice has met Bob and trusts Bob's key. Bob has signed Carol's key, so Alice transitively trusts that Carol's key to some degree. There are some issues with the reliability and assumptions of this approach, but that's how it works.

Anyway, what GPG is telling you here is that the package you have downloaded was indeed signed by the key you checked against, but it warns you that you have not verified the authenticity of the signing key.

Answered by Murch on October 24, 2021

Add your own answers!

Related Questions

Bitcoind daemon: error connecting to the server?

1  Asked on October 24, 2021 by komputer

       

Cannot open dump wallet file (code-8)

1  Asked on October 24, 2021 by requim

       

Opening a wallet with bitcoind

2  Asked on October 24, 2021 by steve-merriman

   

How can I download a single Bitcoin block?

1  Asked on October 24, 2021 by seonguk-park

     

What are “leaf versions” in Taproot?

2  Asked on October 24, 2021 by bertram-lund

   

Cannot start C-lightning after reboot

1  Asked on October 24, 2021 by jodobear

     

ElectrumX server as a Tor hidden service

1  Asked on October 24, 2021 by taghi

     

Ask a Question

Get help from others!

© 2022 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir