How to securely install Bitcoin

Expectations

These instructions require that you understand how files are stored in your computer (abstractly; if you know what a directory/folder is, you’re probably okay) and how to use the command line to run programs and access files. If you don’t understand these concepts, first start with a guide explaining them to you.

Overview

There are three important steps to ensuring your install of Bitcoin is secure and free of malware:

  • Verifying the signature(s)
  • Verifying the file itself

Step 0: Installing GNU Privacy Guard (GPG)

Before you can begin, you will need to ensure you have the GNU Privacy Guard (GPG) tools installed. This is what does all the cryptographic verification needed to ensure your files are safe.

apt-get install gnupg
dnf install gnupg2
yum install gnupg2
emerge app-crypt/gnupg
pacman -S gnupg
apk add gnupg

Step 1: Verifying the OpenPGP key(s)

This is arguably the most difficult step of the process: you need to confirm that the key(s) you are using actually are the correct keys used by the people you trust to produce malware-free software. If you’re not careful, you could end up with a fake key for “Luke Dashjr” — which would result in checking that the fake person signed the program, not the real one!

Obtaining keys and/or fingerprints

The most secure way to verify the keys, is to meet us in person and confirm the key “fingerprint”. Almost nobody memorises their key fingerprint, so it’s normal that we might have to look it up on our own laptop or phone.

Checking the fingerprint of a key file

To look at the fingerprint of a key file, you can use this command:

gpg --import-options show-only --import --with-fingerprint luke-jr.asc
pub   rsa8192 2012-03-23 [SC] [expires: 2020-06-09] 
E463 A93F 5F31 17EE DE6C 7316 BD02 9424 21F4 889F

Importing the verified key

Regardless of how you verify the key, you should make sure to remember which key you used, so you can verify the same key is used when you update in the future. Even if you skip verifying the key (not safe), at least this will ensure your updates are signed by the same person as the version you are installing today.

gpg --import < luke-jr.asc
gpg --keyserver hkp://keyserver.ubuntu.com --recv-key E463A93F5F3117EEDE6C7316BD02942421F4889F

Step 2: Verifying the signature(s)

Now that you know what key you wish to verify with, the next step is to check the signature is valid.

gpg --keyserver hkp://keyserver.ubuntu.com --refresh-key E463A93F5F3117EEDE6C7316BD02942421F4889F
gpg --verify bitcoin-core-linux-0.19-build.assert.sig
gpg: Signature made Sun 19 Jan 2020 03:47:15 AM UTC 
gpg: using RSA key E463A93F5F3117EEDE6C7316BD02942421F4889F
gpg: Good signature from “Luke Dashjr <luke@dashjr.org>” [ultimate]

Step 3: Verifying the file itself

To verify your program file, you must first take a cryptographic hash of it (essentially taking its fingerprints). This is done with a simple command (substitute the actual filename you’re verifying!):

Linux: sha256sum bitcoin-0.19.0.1.knots20200104-powerpc64le-linux-gnu.tar.gzWindows: certUtil -hashfile bitcoin-0.19.0.1.knots20200104-win64.zip SHA256macOS: shasum -a 256 bitcoin-0.19.0.1.knots20200104-osx-unsigned.dmg
d370692590c4546ac0de250da91c6c288d9ee5252f1a4b857a5b80c4e3d81149  bitcoin-0.19.0.1.knots20200104-powerpc64le-linux-gnu.tar.gz

--

--

Bitcoin Core developer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store