Bitcoin.org icon indicating copy to clipboard operation
Bitcoin.org copied to clipboard
verified publisher icon bitcoin-dot-org

Full-node releases-page does not reference any valid gpg-keys to verify the releases

Open v2b1n opened this issue 3 years ago • 2 comments

Dear Bitcoin.org release-team,

the current full-node release-page does not reference any currently valid gpg-release keys

https://bitcoin.org/en/full-node#linux-instructions

The referenced release key

(primary key fingerprint)
01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

of Wladimir J. van der Laan with the dowload-link https://bitcoin.org/laanwj-releases.asc expired already in February 2022.

The current key of Wladimir(?) that was used for signing the release is the

(primary key fingerprint)
71A3 B167 3540 5025 D447  E8F2 7481 0B01 2346 C9A6

Only by explicit comparison of the old and new keys one can find that the old key is cross-signed by the new key.

Please update the full-node page -

  • the key fingerprint
  • the download-link to the new key

v2b1n avatar Jun 07 '22 20:06 v2b1n

Thanks for catching this.

Cobra-Bitcoin avatar Jun 08 '22 21:06 Cobra-Bitcoin

The original key isn't just expired, it's revoked. But more importantly, I'm trying the newer key and I'm seeing this:

gpg: Signature made Fri 26 May 2023 03:46:27 AEST
gpg:                using RSA key 9DEAE0DC7063249FB05474681E4AED62986CD25D
gpg: BAD signature from "Wladimir J. van der Laan <[email protected]>" [unknown]

...which is a bit worrying.

cyclotron3k avatar Apr 03 '24 10:04 cyclotron3k