bitcoin-dot-org / Bitcoin.org

Bitcoin.org Website
https://bitcoin.org/
Other
1.58k stars 2.04k forks source link

Full-node releases-page does not reference any valid gpg-keys to verify the releases #3888

Open v2b1n opened 2 years ago

v2b1n commented 2 years ago

Dear Bitcoin.org release-team,

the current full-node release-page does not reference any currently valid gpg-release keys

https://bitcoin.org/en/full-node#linux-instructions

The referenced release key

(primary key fingerprint)
01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

of Wladimir J. van der Laan with the dowload-link https://bitcoin.org/laanwj-releases.asc expired already in February 2022.

The current key of Wladimir(?) that was used for signing the release is the

(primary key fingerprint)
71A3 B167 3540 5025 D447  E8F2 7481 0B01 2346 C9A6

Only by explicit comparison of the old and new keys one can find that the old key is cross-signed by the new key.

Please update the full-node page -

Cobra-Bitcoin commented 2 years ago

Thanks for catching this.

cyclotron3k commented 7 months ago

The original key isn't just expired, it's revoked. But more importantly, I'm trying the newer key and I'm seeing this:

gpg: Signature made Fri 26 May 2023 03:46:27 AEST
gpg:                using RSA key 9DEAE0DC7063249FB05474681E4AED62986CD25D
gpg: BAD signature from "Wladimir J. van der Laan <laanwj@protonmail.com>" [unknown]

...which is a bit worrying.