How to verify the Bitcoin core software? Wait! “Do I need to verify the software? I downloaded Bitcoin core from the official website bitcoin.org and I never checked the keys nor verified the release signatures previously”.
Should I verify Bitcoin Core?
Not just Bitcoin core. You should verify every software before you install it on your computer. Especially if it is your primary PC that contains wallet, secret keys and other personal information.
Previously we’ve made few guides on verifying wallet softwares.
Here is how to verify electrum signatures – check if electrum is legit
Verifying signatures of Trezor suite binaries
Check hash and verify PGP signature of Ledger Live app
And lastly here is how to verify MD5, SHA256 checksum of any wallet or software.
If you’re familiar with those guide then you should also know how to verify Bitcoin core client.
Why verify Bitcoin core?
Verifying the downloaded files is optional but is highly recommended. By verifying the Bitcoin core binaries you are making sure that you have not downloaded a malicious or tampered version of the Bitcoin wallet which may result in loss of funds.
Whether you download Bitcoin core from bitcoin.org website or bitcoincore.org website you need to verify the client before installing. Because there are a number of ways an attacker could modify the files which you downloaded from the official Bitcoin website.
For example: An attacker can compromise the bitcoincore.org or bitcoin.org website and modify the information hosted on that page for their own benefit. They can launch a fake phishing website and do a man-in-the-middle attack on people who are visiting the original Bitcoin website.
In some way the attacker can trick you into downloading the fake Bitcoin client, basically a clone of Bitcoin wallet containing a malicious bug. Nothing happens with the download, its only when you install and run the software the problem arises. The malicious program could steel all of your coins, may wipe your computer clean and even might place a bug in your machine that launch attacks on the Bitcoin network or that acts as a surveillance tool.
The verification applies to the downloaded file and you need to perform verification before you install it on your computer. Once you install it its too late to take advantage of the verification. If the software which you’ve installed was a compromised version then it could have already done the damage. So whether you’re installing Bitcoin core for the first time or updating the software to the latest version it is highly recommended that you verify the software after downloading. Only proceed with the installation after successful verification.
So how do you verify the Bitcoin core software? Validating checksum and verifying bitcoin core release signing keys.
Verifying Bitcoin Core Binaries
Not everyone prefers Bitcoin core. It is one of the first wallets out there and mostly who runs full node uses Bitcoin core software. Being an open source project the source code is available for anyone to review. However, it is important to ensure that the code you are using has not been tampered with or modified in any way. One way to do this is by verifying the digital signatures of the official Bitcoin Core binaries.
Here we’ll explain how to verify the signature of Bitcoin Core binaries, as well as how to ensure that the signature is valid.
How download and verify the Bitcoin Core wallet.
You can download bitcoin core from the following sites:
Bitcoin Home page: https://bitcoin.org/en/download
Or
Bitcoin Core website: https://bitcoincore.org/en/download/
For some reason bitcoin.org website have not updated to the latest release. It still displays Bitcoin Core 22.0. The latest Bitcoin core version 24.0.1 is now available from:
https://bitcoincore.org/en/download/
This latest release includes new features, various bug fixes and performance improvements. The software is available for Windows, Mac as well as Linux. However, the following guide is for Windows. Anyways the steps to verify the signature of the Bitcoin software is same for both Linux as well as MacOS.
Choose your OS and download either the .exe file or the zip file.
Along with that also download the following to the same location where you downloaded Bitcoin core.
SHA256 binary hashes
SHA256 hash signatures
You should download the bitcoin-<version>-<architecture>.<tar.gz|zip|exe>, SHA256SUMS.asc and SHA256SUMS file from the official source.
Now you have all the files needed to verify the software.
Let’s start by verifying the checksum hash of the downloaded file. The file SHA256SUMS has the checksum hashes of the binaries which is a unique value that represents the contents of the file. Right click SHA256SUMS and open it in a text editor or notepad++. You’ll see lines similar to this.
537e066b952b35b169259b6c4061bb59fa65034415d4b308a5f39b83e8a49b02 bitcoin-24.0.1-aarch64-linux-gnu-debug.tar.gz 0b48b9e69b30037b41a1e6b78fb7cbcc48c7ad627908c99686e81f3802454609 bitcoin-24.0.1-aarch64-linux-gnu.tar.gz a45ea04386b93f3cf168e6740a265b69312081ebd834e10dc2f7fc974da71711 bitcoin-24.0.1-arm-linux-gnueabihf-debug.tar.gz 37d7660f0277301744e96426bbb001d2206b8d4505385dfdeedf50c09aaaef60 bitcoin-24.0.1-arm-linux-gnueabihf.tar.gz 4cc2fe2e2f5e6068ecbf922564f2356a5388e4d00d8f852062f589b9577a21de bitcoin-24.0.1-arm64-apple-darwin.dmg 490db50df212edf26d08523a5515ecd3ebb3580b671ee5e7c039f04e065f2e4c bitcoin-24.0.1-arm64-apple-darwin-unsigned.dmg 52c2bbf4cb67f4a0e68891844f605f12ff09b3b414985614f7c886561a3887cb bitcoin-24.0.1-arm64-apple-darwin-unsigned.tar.gz 90ed59e86bfda1256f4b4cad8cc1dd77ee0efec2492bcb5af61402709288b62c bitcoin-24.0.1-arm64-apple-darwin.tar.gz 68c0e5bd44e5e6ab2e1e0fe3dff2f8707cbce0c7c480c195c8ec484f65efa3d7 bitcoin-24.0.1-codesignatures-24.0.1.tar.gz 12d4ad6dfab4767d460d73307e56d13c72997e114fad4f274650f95560f5f2ff bitcoin-24.0.1.tar.gz 91c2c7e1721e7e49b2000c748d8da856635e8bff517a4da10ab099a9f1c2dcbb bitcoin-24.0.1-powerpc64-linux-gnu-debug.tar.gz 7590645e8676f8b5fda62dc20174474c4ac8fd0defc83a19ed908ebf2e94dc11 bitcoin-24.0.1-powerpc64-linux-gnu.tar.gz 097d847e24a0245483b803dbca84cbf97cdf71d3bdafdd42747437e6ca394523 bitcoin-24.0.1-powerpc64le-linux-gnu-debug.tar.gz 79e89a101f23ff87816675b98769cd1ee91059f95c5277f38f48f21a9f7f8509 bitcoin-24.0.1-powerpc64le-linux-gnu.tar.gz 8addb8f638891af3d82602def0036916cfdc137a7cfaf876536d0ff79a95eb11 bitcoin-24.0.1-riscv64-linux-gnu-debug.tar.gz 6b163cef7de4beb07b8cb3347095e0d76a584019b1891135cd1268a1f05b9d88 bitcoin-24.0.1-riscv64-linux-gnu.tar.gz 0c3359c6700b30d0973cb6baa3dd93933e772ab56ed5eebcf509249d6c9f8b34 bitcoin-24.0.1-x86_64-apple-darwin.dmg 695adfe105f3e34989c5a5c19aa15a39ebcd288e0ae0ea9f4650d32cea0a2ead bitcoin-24.0.1-x86_64-apple-darwin-unsigned.dmg 31c272a5c4c6d5ee14cdcc3cf8e45e5319efdcdf57de62be59a7dd724265154d bitcoin-24.0.1-x86_64-apple-darwin-unsigned.tar.gz e2f751512f3c0f00eb68ba946d9c829e6cf99422a61e8f5e0a7c109c318674d0 bitcoin-24.0.1-x86_64-apple-darwin.tar.gz 10358db0e478f88d7c43de9fb6651e052164d0055fddcf32fb7d3e82ef63f0da bitcoin-24.0.1-x86_64-linux-gnu-debug.tar.gz 49df6e444515d457ea0b885d66f521f2a26ca92ccf73d5296082e633544253bf bitcoin-24.0.1-x86_64-linux-gnu.tar.gz be3f8bcbe5998209acfca8e1f253b58b5b74b2ca47515d3966b50de5078feec7 bitcoin-24.0.1-win64-setup.exe 0b7a829f8f768b60494818040f64fec525f93928b71404d76d04a216ebed1f28 bitcoin-24.0.1-win64-debug.zip ebd8643c3e6ee1d6f09f792351b8557b826d1ebb9ecc07b8eeabf0b2ab2ab197 bitcoin-24.0.1-win64-setup-unsigned.exe 9a81222ac1c925ccc008014d41f7e5962a49b57a34cd7d203c896a489abe064f bitcoin-24.0.1-win64-unsigned.tar.gz 8784ce304f22c495392d3adfd7fc2c645d093db9bd4d42666c41adf540539fff bitcoin-24.0.1-win64.zip
Now you need to calculate the checksum of the file which you downloaded and compare it to the value shown in SHA256SUMS file. If it matches then checksum validation is success.
There are several MD5 and sha256sum utility tools online to calculate the checksum of a file. We’ll not get into that. Instead its just a simple command line which you can enter it in Windows power shell.
First navigate to the folder where you have the files downloaded. Shift + Right Click and choose open PowerShell Window here which will open the Windows PowerShell.
Now all you need to do is type
CertUtil -hashfile name-of-the-bitcoin-file sha256
For example it should look like this:
CertUtil -hashfile bitcoin-24.0.1-win64-setup.exe sha256
Hit enter and it will display the hash result:
SHA256 hash of bitcoin-24.0.1-win64-setup.exe: be3f8bcbe5998209acfca8e1f253b58b5b74b2ca47515d3966b50de5078feec7 CertUtil: -hashfile command completed successfully.
That’s it! Now copy the hash and check if the hash matches to the one shown in SHA256SUMS file. Note the following file contains checksum hashes of all the binaries. Make sure the checksum hash produced by your command line window “be3f8bcbe5998209acfca8e1f253b58b5b74b2ca47515d3966b50de5078feec7” matches with the hashes listed in the checksum file. Make sure it’s the exact same file name. In this case it is “bitcoin-24.0.1-win64-setup.exe”.
That’s it! If the file you downloaded hashes to the list of already verified hashes, then the file is valid.
To know more about verifying MD5 and SHA256 checksums please refer to this article: https://coinguides.org/verify-md5-sha256-checksum/
Wait! Don’t go ahead and install yet. We have one more step. So far we’ve only verified the checksum to see if the hash matches. But we still do not know whether or not the hashes are trustworthy. Only after verifying that you can consider that the file itself is trustworthy and safe to use.
The file SHA256SUMS has the checksum hashes of the binaries. The file SHA256SUMS on Bitcoincore.org website is verified and is signed by several key signers cryptographically. The signatures of those who signed the file SHA256SUMS is stored in SHA256SUMS.asc file. To complete the verification of the Bitcoin file which you downloaded you need to verify the signature, that is you need to verify SHA256SUMS with SHA256SUMS.asc file.
Why verify release signatures?
Validating hash of the file is fine. In case if the attacker replaced the executable with a malicious one then hash verification fails and you’ll know the file has been tampered with. But what if the attacker has compromised the website, got access to the hosting of the website and managed to replace both the installer file and the checksum file. To make sure you are running a safe software and it is not a bad version replaced by some attacker; it is also advised that you verify the release signatures in addition to validating hash.
PGP signature verification is an extra protection. By verifying signatures you can trust that the checksum file is the original file and the keys in it are not tampered by some imposter. The signatures of those who signed the file SHA256SUMS is stored in SHA256SUMS.asc file. We hope you have the file SHA256SUMS.asc downloaded as well.
To verify the signatures that is to verify Bitcoin Core Integrity using PGP you’ll need GNU Privacy Guard (GPG) installed on your computer. GPG is a free, open source implementation of the OpenPGP standard for encrypting and signing data
GnuPG
For Windows we recommend you to download Gpg4win https://www.gpg4win.org/
Download Gpg4win to your PC. (optional) Check integrity of the downloaded Gpg4win installer. Once done install gpg4win.
How signature verification works?
Once Gpg4win is installed go to program files >> Gpg4win >> bin and open kleopatra.exe
Now to verify Bitcoin Core Release Signing Keys what we’ll be doing is importing the public key of the signer into GPG software and use that to verify the signature file. If the signature is valid, then kleopatra will output a message saying that the signature is good and was made by the specified key. If the signature is invalid, it will output an error message.
Previously there use to be only single signer. All of the Bitcoin releases are signed by Wladimir J. van der Laan’s releases key with the fingerprint:
01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964
This certificate is expired meaning the developer Wladimir J. van der Laan’s no longer uses this fingerprint to sign the Bitcoin release. In fact as of Bitcoin core version 22.0 the signature verification procedure has changed. Instead of single signer there are now a number of individuals that is multiple signers each with a unique public key.
Here are the list of signers’ keys:
- 0xb10c@gmail.com:
0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97D - Andrew Chow achow101@gmail.com:
152812300785C96444D3334D17565732E08E5E41 - Ben Carman benthecarman@live.com:
0AD83877C1F0CD1EE9BD660AD7CC770B81FD22A8 - Antoine Poinsot darosior@protonmail.com:
590B7292695AFFA5B672CBB2E13FC145CD3F4304 - Duncan Dean duncangleeddean@gmail.com:
28F5900B1BB5D1A4B6B6D1A9ED357015286A333D - Stephan Oeste stephan@oeste.de:
637DB1E23370F84AFF88CCE03152347D07DA627C - Michael Ford fanquake@gmail.com:
CFB16E21C950F67FA95E558F2EEB9F5CC09526C1 - Oliver Gugger gugger@gmail.com:
6E01EEC9656903B0542B8F1003DB6322267C373B - Hennadii Stepanov hebasto@gmail.com:
D1DBF2C4B96F2DEBF4C16654410108112E7EA81F - Jon Atack jon@atack.com:
82921A4B88FD454B7EB8CE3C796C4109063D4EAF - Wladimir J. van der Laan laanwj@gmail.com:
9DEAE0DC7063249FB05474681E4AED62986CD25D - Willy Ko willyk@syscoin.org:
79D00BAC68B56D422F945A8F8E3A8F3247DBCBBF - vertion vertion@protonmail.com:
28E72909F1717FE9607754F8A7BEB2621678D37D - Sjors Provoost sjors@sprovoost.nl:
ED9BDF7AD6A55E232E84524257FF9BDBCC301009 - Pieter Wuille pieter@wuille.net:
3EB0DEE6004A13BE5A0CC758BF2978B068054311 - jackielove4u jackielove4u@hotmail.com:
287AE4CA1187C68C08B49CB2D11BD4F33F1DB499 - Oliver Gugger gugger@gmail.com:
F4FC70F07310028424EFC20A8E4256593F177720 - unknown:
9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C - Will Clark will8clark@gmail.com:
74E2DEF5D77260B98BC19438099BAD163C70FBFA
Signers keys can be verified here, its listed in the bitcoin/bitcoin repository : https://github.com/bitcoin/bitcoin/blob/master/contrib/builder-keys/keys.txt
These are each of the developer public keys that signed the checksums file.
To validate the signature of the file you don’t have to load all of these public keys into your GPG key database.
You can import the key of just one of the Bitcoin core devs you trust, but choosing multiple individuals from the list is better. We’ll be using their keys to check the signature attesting to the validity of the checksum file which you previously used to verify the binaries.
Steps to verify the signature – Ensuring the signature is valid
Now before we import the keys open kleopatra, click decrypt / verify, navigate to the download folder and open the SHA256SUMS file.
Upon opening it’ll start to verify SHA256SUMS’ with ‘SHA256SUMS.asc’
Once verification is done you’ll see the following result:
Verified ‘SHA256SUMS’ with ‘SHA256SUMS.asc’: 12 signatures could not be verified.
Meaning the file has been verified but the signatures could not be verified. You need to import any one of the developer keys. You can search the certificate on a keyserver or import it from a file.
If the verification fails then you’ll get this as result:
Verified ‘SHA256SUMS’ with ‘SHA256SUMS.asc’: Verification failed
It means the file has been tampered with and do not proceed with the installation.
Click search on any one of the fingerprint shown on the right side. It’ll start to lookup on server. Once the search is complete it’ll display their name, email and other information. Select it and click import.
Before you import check that the public key you are importing actually belongs to the Bitcoin core team.
The keys are listed at Github bitcoin/bitcoin repository : https://github.com/bitcoin/bitcoin/blob/master/contrib/builder-keys/keys.txt
And is also available on the Bitcoin.org website. Make sure the fingerprint which you are importing matches the one listed on the website.
It is also recommended that you verify the signatures and hashes of the binaries from multiple sources and developer signatures. Instead of importing just one key, import keys of multiple bitcoin devs that you trust.
After you import the certificate you’ll get a message saying “You have imported a new certificate (public key).
In order to mark the certificate as valid (green) it needs to be certified. Certifying means that you check the Fingerprint. Some suggestions to do this are: A phone call to the person. Using a business card. Confirming it on a trusted website. Do you wish to start this process now?
Click cancel for now. We’ll verify the certificate later.
It’ll still import the certificate. Only it is not certified yet. If you verify the files now SHA256SUMS with SHA256SUMS.asc you’ll get the following result:
Verified ‘SHA256SUMS’ with ‘SHA256SUMS.asc’: 12 signatures could not be verified. Signature created on Wednesday, December 07, 2022 10:00:36 PM With certificate: Andrew Chow <andrew@achow101.com> (1756 5732 E08E 5E41) The used key is not certified by you or any trusted person.
Do not worry about the warning that says “The used key is not certified by you or any trusted person”
What GnuPG basically telling you is that the signature corresponds to that public key (your file has a valid signature and wasn’t tampered with), however it doesn’t know if that public key is trustworthy yet.
It means you do not have a trusted signature yet. All you did was downloaded the signature from the internet (from Github bitcoin/bitcoin repository) and you do not know the person personally and he didn’t hand you his fingerprint.
Anyways since you can verify the keys from both Bitcoin website and Github https://github.com/bitcoin/bitcoin/blob/master/contrib/builder-keys/keys.txt you can trust them.
As of now we’re done with the signature verification. The next step is optional.
Certify Certificate
To certify other certificates, you first need to create an OpenPGP certificate for yourself.
Open kleopatra go to file >> New Open PGP key pair. Enter your name, email, click advanced settings choose expire to never expire and click OK.
You’ve created an OpenPGP certificate for yourself which you can use to certify other certificates, encrypt files etc.
Once the certificate is created you’ll get a success message stating “A new open PGP certificate was created successfully” along with the fingerprint of your new certificate. Click OK.
Now navigate to certificates tab and choose the certificate of Bitcoin dev which you imported but not certified yet. Right click and choose certify. It’ll show the fingerprint of the developer. Verify the fingerprint and certify with your ID.
Now if you decrypt / verify SHA256SUMS with SHA256SUMS.asc you’ll get the following output:
Verified ‘SHA256SUMS’ with ‘SHA256SUMS.asc’: 12 valid signatures. Signature created on Wednesday, December 07, 2022 10:00:36 PM With certificate: Andrew Chow <andrew@achow101.com> (1756 5732 E08E 5E41) The signature is valid and the certificate's validity is fully trusted
Even though if you’ve imported only one certificate it’ll show as 12 valid signatures.
Click show audit log for more info:
You should see a line that states:
Signature made 07-Dec-22 10:00:36 PM gpg: using RSA key 152812300785C96444D3334D17565732E08E5E41 (primary key fingerprint) gpg: issuer "andrew@achow101.com" Good signature from "Andrew Chow <andrew@achow101.com>"
That’s it! We’ve successfully verified that the checksum file is PGP signed by one of the release signing key. Now you can be sure that the Bitcoin Core binary you are using has not been tampered with and is safe to use. To maintain the security and integrity of the Bitcoin network it is important that you verify the signature whenever you download a new release.
Wrap up:
What we basically did was downloaded the installer file, the checksum file and the signature file. The signature file SHA256SUMS.asc contains information about the keys that was used to sign the file SHA256SUMS.
The file SHA256SUMS contains bunch of hashes for each binaries released by the Bitcoin developers. All those hashes are cryptographically signed by the developers.
First we computed the SHA256 hash of the Bitcoin file you downloaded, and ensured that the computed hash matches the one listed in the SHA256SUMS file.
Next to ensure that then checksum text file that is SHA256SUMS is not tampered with we additionally did signature verification of this file so we can trust those hashes within the file. We verified Bitcoin Core Integrity using PGP. We used PGP to verify the signature and made sure the file is legit.
Now that the verification process is over you can go ahead and safely install Bitcoin core on your computer.
