HomePhabricator

Add instructions for verifying download integrity against release signer keys

Description

Add instructions for verifying download integrity against release signer keys

Summary:
The current process for verifying Bitcoin ABC binaries is unclear.
An example of how users experience this can be seen here: https://old.reddit.com/r/btc/comments/egj10s/where_can_i_find_bitcoin_abc_pgp_keys/
However, that example only scratches the surface as there are multiple issues here:

  1. The keys are not easy to find/download.
  2. Having some copy of the key fingerprints has no gaurantees against tampering of the fingerprints out of the box.
  3. While verifying the binary hashes match the signature file(s) is easy, not all users verify the integrity of the signature files themselves.

This patch is a good first step to help tackling the above issues. It provides a mechanism for users to easily identify
tampering in any part of the download process, given that they are not downloading a fresh copy of the release keys.
If the later cannot be assumed, the user is provided with the necessary tools to do so for future downloads.

Test Plan:
Version 0.20.11+:

# test a similar set of commands on locally-generated source package
ninja package_source
VERSION="0.20.11"
KEYS_FILE="bitcoin-abc-${VERSION}/contrib/gitian-signing/keys.txt"
# tweaked the line below since no release currently contains keys.txt
tar -zxOf <build-dir>/bitcoin-abc-0.20.11.tar.gz "${KEYS_FILE}" | while read FINGERPRINT _; do gpg --recv-keys "${FINGERPRINT}"; done

Earlier versions:

  1. Download any number of binaries from https://download.bitcoinabc.org/0.20.9/<platform>
  2. Download signature files from https://download.bitcoinabc.org/0.20.9/
  3. Follow the second set of instructions for earlier versions.

Reviewers: #bitcoin_abc, deadalnix, Fabien

Reviewed By: #bitcoin_abc, Fabien

Subscribers: Fabien

Differential Revision: https://reviews.bitcoinabc.org/D4807

Details

Provenance
jasonbcoxAuthored on Dec 30 2019, 19:58
deadalnixPushed on Jan 21 2020, 21:37
Reviewer
Restricted Project
Differential Revision
D4807: Add instructions for verifying download integrity against release signer keys
Parents
rSTAGING6a8966258c7c: Bump version to 0.20.12
Branches
Unknown
Tags
Unknown