Bitcoin.org have issued a safety warning alongside the release of the 0.13.0 software update. They warn of ‘state sponsored attackers’ that may be looking to disrupt the upgrade process. The Chinese Bitcoin community in particular has been asked to be extra vigilant in making sure they obtain the correct binaries.
The warning post then goes on to explain how to verify that the binary you obtain has the right signature and matches the key belonging to Bitcoin Core developer Wladimir J. van der Laan. You can find Vladimir’s Bitcoin Core 0.13.0 release announced on the Bitcoin mailing list here.
A discussion ensued on Reddit following the warning with over 200 comments ranging from conspiracy theory to the banal:
Verification and Key Signing
Verifying digital signatures is a must for all sensitive software and a tasks that many experienced developers are not well versed in. Qubes OS, an operating system developed to offer more control to the user offer a detailed guide on Digital Signatures and Key Verification. The Tails project, a portable operating system for accessing and communicating through the Tor network, also offers guidance on Downloading and Verifying using OpenPGP.
What’s New in 0.13.0?
Made it in:
- Segregated Witness testnet implementation (BIP 144)
- Compact Block support (BIP 152)
- Hierarchical Deterministic Key Generation (BIP 32)
- Child Pay For Parent
- Reindexing changes for optimised disk use
- Low level P2P, RPC and ZMQ changes
- Windows XT is no longer supported
- Internal Miner (CPU mining capabilities) have been removed
An increasing number of nodes have upgraded their software and are now running v0.13.0, as can be seen on Bitnodes.
To anyone running an implementation of the Bitcoin software, checking a GPG signature should be considered more than a best practice, it should be considered a requirement. We can only hope these warnings issued by the developers fall on well seasoned deaf ears.