Skip to content

Commit

Permalink
Merge #1646: README: add instructions for verifying GPG signatures
Browse files Browse the repository at this point in the history 
b682dbc README: add instructions for verifying GPG signatures (James O'Beirne)

Pull request description:

ACKs for top commit:
  sipa:
    ACK b682dbc
  jonasnick:
    ACK b682dbc

Tree-SHA512: 77ec0014e1a98e13ef38537177ea10175f064e7314e41474cd13a9c95c734ae1cca09effa2e2184a8c1495f3621e418d0df098fde4890d972d914cd7e80aa2d7
  • Loading branch information
@jonasnick
jonasnick committed Feb 10, 2025
2 parents 00774d0 + b682dbc commit 2e3bf13
Showing 1 changed file with 36 additions and 0 deletions.
36 changes: 36 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,42 @@ Implementation details
* Optional runtime blinding which attempts to frustrate differential power analysis.
* The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.

Obtaining and verifying
-----------------------

The git tag for each release (e.g. `v0.6.0`) is GPG-signed by one of the maintainers.
For a fully verified build of this project, it is recommended to obtain this repository
via git, obtain the GPG keys of the signing maintainer(s), and then verify the release
tag's signature using git.

This can be done with the following steps:

1. Obtain the GPG keys listed in [SECURITY.md](./SECURITY.md).
2. If possible, cross-reference these key IDs with another source controlled by its owner (e.g.
social media, personal website). This is to mitigate the unlikely case that incorrect
content is being presented by this repository.
3. Clone the repository:
```
git clone https://github.com/bitcoin-core/secp256k1
```
4. Check out the latest release tag, e.g.
```
git checkout v0.6.0
```
5. Use git to verify the GPG signature:
```
% git tag -v v0.6.0 | grep -C 3 'Good signature'

gpg: Signature made Mon 04 Nov 2024 12:14:44 PM EST
gpg: using RSA key 4BBB845A6F5A65A69DFAEC234861DBF262123605
gpg: Good signature from "Jonas Nick <[email protected]>" [unknown]
gpg: aka "Jonas Nick <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366
Subkey fingerprint: 4BBB 845A 6F5A 65A6 9DFA EC23 4861 DBF2 6212 3605
```
Building with Autotools
-----------------------
Expand Down

0 comments on commit 2e3bf13

Please sign in to comment.