how do i confirm the bitcoin core release that i’ve downloaded using the individual developer’s keys (using gpg)?
i’ve confirmed the SHA256 checksum, but i’m unsure how to do all this gpg stuff
Discussion
should be as simple as gpg —verify SHA256SUMS.txt, assuming you have the SHA256SUMS.txt.asc in the same directory.
i did: gpg —verify SHA256.asc
but it’s giving me a bunch of “can’t check signature: no public key”
do i have to add all the dev keys somehow? 🤔
yes you’ll need to import their keys:
pbpaste | gpg —import
hmmm but where do i actually get their keys from?
the link on the bitcoincore.org website guide for the builder keys is broken, so it seems like they've moved / changed that .txt file in the repo
(https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys/keys.txt)
i had a look around and i found these:
https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys
but they look like way longer keys? with a different strucure?
hence all my confusion 😬😅