pull down to refresh
24 sats \ 2 replies \ @Murch OP 22 Feb 2023 \ parent \ on: AMA: Ask Murch Anything bitcoin
A bunch of volunteers and Bitcoin Core contributors submit their own attestations to the Bitcoin Core repository. These attestations are tied to a specific commit and thus you can check that at least these attestations agree on the version they commit to. If you want to be thorough, you can set up your own Guix build and check that you arrive at the same binary yourself. This commit should correspond to the release tag signed by one of he maintainers. The PGP keys of the attesters are also held in the repository. You should import their keys and check that other keys you have encountered before certify the attester’s keys.
So, you can either trust the “social proof” of a ton of people staring at the Bitcoin Core repository, hoping that someone would raise alarm bells if attestations disagree or not match the release commit, or you could use a web-of-trust per the PGP keys to assign a higher trust to some attestations.
Thanks for the link towards the PGP keys of the attesters. The link included in the Linux verification instructions on the Bitcoin Core website is erroneous.
reply
You may also find the Release Process documentation interesting: https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md#building
reply