Bitcoin Core is the reference client for the Bitcoin network that is built by a self-organising team of developers. Unfortunately when software is released with a decentralised team as is common with cryptocurrency and open source projects in general, there is no official business entity to sign code signatures as required by many modern operating systems.
Who Signs Bitcoin Core Releases?
To combat this problem some members of the team behind bitcoin core arranged for an official entity to be created specifically for signing releases of Bitcoin Core so you can be sure that you have an official copy. The new entity that has been set up to fulfil this purpose is the “Bitcoin Core Code Signing Association“. To quote the official site:
Bitcoin Core signs its Windows and macOS binaries with code signing certificates. Those certificates either need to be bound to an individual or a company organization. Bitcoin Core is purely an open source project and has no legal entity, thus, some of the Core Developers have founded an association with the single purpose of registering for code signing certificates.”
However another challenge with an organisation like this is effectively communicating and verifying these changes. In fact it wasn't until I went to open a new release that third party firewall software informed me that the code signature of the developer had changed from the Bitcoin Foundation to this new entity.
Verifying the Bitcoin Core Signature Change
One way to verify this change to the Bitcoin Core Code Signing Association was legitimate is by verifying the SHA256SUMs file that is released with ease new version of the software. This involves generating a hash of the released binaries through SHA256. On a Mac the command for this would look something like:
$ shasum -a 256 ~/bitcoin-binary.dmg
The resulting hash should be compared with the hash that is published in the associated SHA256SUMS.asc file. If they match then it is likely you have the correct binary release. However there is one more step you can take.
The contents of each SHA256SUMS.asc file are signed with the PGP signature of one of the Bitcoin Core developers. This is currently the Waladimir J. van der Laan (Bitcoin Core binary release signing key) with the fingerprint 01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964. If you have software like GPG Tools you can add the signing key to your keychain and verify the signed SHA256SUMS.asc file matches the official release signature.
The above steps tell you that the official Bitcoin development teams key has been used to publicly sign the release that includes the new code signature. This should provide some assurance but it can never hurt to perform some additional research and look beyond the cryptography.
In this case searching on the web for references to the Bitcoin Core Code Signing Association you can find logs from the Bitcoin Core developer chat on IRC referencing the change. It also brings up the official website of the new entity which appears to have been published via GitHub. The account which published the website is associated with another known Bitcoin developer who also appears to have registered the domain name.
So can the Bitcoin Core Code Signing Association be trusted?
Here is what we know:
- A new release has been published through the official channels.
- The file hash matches those provided by the developers.
- The hashes are signed by the official development teams keys.
- The change in signing key has been confirmed in developer chat logs.
- A site confirming the new entity has been published by another Bitcoin developer.
This is a fairly long chain of evidence that would appear to suggest that you can in fact trust this new code signing entity. But as many in the cryptocurrency space have been known to say…
“Don't Trust. Verify.”