SECURITY: Signature Check Out of Date

[shannona]

I see the downloading of the old laanwj signature file (curl https://bitcoincore.org/laanwj-releases.asc -o ~/.gordian/BitcoinCore/laanwj-releases.asc -s ), which is obsolete as of 22.0. We can no longer count on that signature being used for a release (though it is for 22.0). I don't see how it's used.

Here's the new verification procedure used in the Bitcoin Standup script for 22.0:

sudo -u standup wget https://bitcoincore.org/bin/$BITCOIN/SHA256SUMS.asc -O ~standup/SHA256SUMS.asc
sudo -u standup wget https://bitcoincore.org/bin/$BITCOIN/SHA256SUMS -O ~standup/SHA256SUMS

sudo -u standup wget https://raw.githubusercontent.com/bitcoin/bitcoin/master/contrib/builder-keys/keys.txt -O ~standup/keys.txt
sudo -u standup  sh -c 'while read fingerprint keyholder_name; do gpg --keyserver hkps://keys.openpgp.org --recv-keys ${fingerprint}; done < ~standup/keys.txt'

# Verifying Bitcoin: Signature
echo "$0 - Verifying Bitcoin."

export SHASIG=`sudo -u standup /usr/bin/gpg --verify ~standup/SHA256SUMS.asc ~standup/SHA256SUMS 2>&1 | grep "Good signature"`
export SHACOUNT=`sudo -u standup /usr/bin/gpg --verify ~standup/SHA256SUMS.asc ~standup/SHA256SUMS 2>&1 | grep "Good signature" | wc -l`

if [[ "$SHASIG" ]]
then

    echo "$0 - SIG VERIFICATION SUCCESS: $SHACOUNT GOOD SIGNATURES FOUND."
    echo "$SHASIG"

else

    (>&2 echo "$0 - SIG VERIFICATION ERROR: No verified signatures for Bitcoin!")

fi

[Fonta1n3]

Excellent, works a treat, thanks.

[shannona]

Looks good. I sent a doc pr #131 to describe GPG installation and checksum and signature checking as part of the install.