However how do I actually check the .dmg file that contains the installer is the right one?
If I run:
gpg --verify bitcoin-0.13.0-osx.dmg
I get:
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
That's because the files themselves are not pgp signed and do not have any signatures.
Greetings and thank you very much for this guide. I try to work best practices into as much of my computing as possible but using GPG has defeated my time/need/interest matrix for awhile.
What files do contain the signatures that we are supposed to be verifying? The OP's guide says,"Bitcoin developers and other interested people sign every release of Bitcoin Core using gitian." I thought this meant if I download a .sig file from the gitian page on GitHub, I could run 'gpg --verify' on the new program I downloaded from bitcoin.org to verify its authenticity.
After I've imported the public PGP keys & downloaded the assert.sig file from GitHub, when i run gpg --verify I get the following:
ninjasmurf$ gpg --verify /Users/ninjasmurf/Desktop/bitcoin-dmg-signer-build.assert\(1\).sig /Users/ninjasmurf/Desktop/bitcoin-0.13.0-osx64.tar.gz
gpg: Signature made Wed Oct 14 11:04:19 2015 EDT using RSA key ID 2346C9A6
gpg: BAD signature from "Wladimir J. van der Laan <
laanwj@gmail.com>" [unknown]
Why does this come back with a BAD signature?
Thanks in advance. Have a sweet day.