- Complete the Full Node tutorial
What you’ll learn
By the end of this tutorial you will have learned how to use digital signatures to verify the data you received came from the person who actually sent it. This is critical in Bitcoin where we need to know that the person spending bitcoins is actually authorized to spend them.
Using hashes and cryptographic signatures to verify data integrity
Bitcoin blocks are protected using proof of work powered by cryptographic hashes, but in order for someone to spend their bitcoins, they have to create a cryptographic signature that proves they own those bitcoins. The recipient and all Bitcoin full nodes verify that signature to make sure the transaction is valid.
Let’s look at verifying a cryptographic signature on a text file. This is the same principle Bitcoin uses, although the software is different. To verify anything, you first need the public key of the person who created the signature. So let’s download and import the public key of Bitcoin Core lead developer Wladimir van der Laan:
## Download Wladimir’s key wget https://bitcoin.org/laanwj-releases.asc ## Import that key in GNU Privacy Guard (GPG) gpg --import laanwj-releases.asc
Now that you have Wladimir’s key, let’s download a file that he signed—the Bitcoin Core releases file for version 0.11.0—and then verify that he actually signed it with the previously-imported key.
## Download the release file; the -O is a capital letter o wget https://bitcoin.org/bin/bitcoin-core-0.11.0/SHA256SUMS.asc -O shasums.asc ## Verify the file was signed by Wladimir gpg --verify shasums.asc
If verification worked, GPG should print text that says “Good signature from Wladimir van der Laan”. But it may also print a WARNING, as shown below:
gpg: Signature made Sun 12 Jul 2015 03:21:13 PM UTC using RSA key ID 36C2E964 gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964
Essentially this is because GPG is verifying two separate things:
Is the file signed by someone who has the private key for the entity "Wladimir J. van der Laan (Bitcoin Core binary release signing key)
Does that entity actually represent the person Wladimir J. van der Laan?
The standalone GPG by itself doesn’t have enough information to make the second assertion—it doesn’t have a data structure that represents Wladimir. If you’ve met Wladimir in person and verified that the key above actually belongs to him, GPG lets you set that key as trusted. This is not necessary for this introduction to digital signatures, but (if you’re interested) you can learn more at https://www.gnupg.org/gph/en/manual/x334.html
Now that you know the file is authentic, let’s look at it:
## Display the contents of the file cat shasums.asc
Wrapped inside the PGP header and footer should be several hashes followed by file names.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 747ad1a76ca21ef959cdf2591a7c1c987c1be97ddfc5eadc079a62a071298736 bitcoin-0.11.0-linux32.tar.gz f9d83c4de5157c4901866d9400532ac3589bf75123f952d73ce993287e38d419 bitcoin-0.11.0-linux64.tar.gz c7a5e496d7c31bdc10d2c0c79dfcf9aca69f9520579917c7d3e95868b2127707 bitcoin-0.11.0-osx64.tar.gz fa457e65662b73f3d33235c012d4bec181e2919dd2a400afaa0ff9ab4927fb89 bitcoin-0.11.0-osx.dmg 51ba1756addfa71567559e3f22331c1d908a63571891287689fff7113035d09f bitcoin-0.11.0.tar.gz 7bb285e0a3d4648f799d5daa157ee755a7418b3aa9262d0f33508d7793c13d14 bitcoin-0.11.0-win32-setup.exe 9ab9afb06e2a0d020ecb047aed10f67c4f5e4381670dfed2b9d036835772a957 bitcoin-0.11.0-win32.zip 026f5d18c505105f317db8f49f3127e449953c3c012db58ca87ea6004abbec58 bitcoin-0.11.0-win64-setup.exe f86a6d1ced0dda9cb767b6a5bad30b0c3387881003af9e2786b1c3df95135c01 bitcoin-0.11.0-win64.zip -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJVooXpAAoJEJDIAZ42wulkdVUP/1X6X9C3yilZX2JagRMlR1Gj iMAo+GneFJkfwJGKpfeEQTe4ufcBUyHSoT5IUNwEkuOKTMEnufpvqEG/Z8iOy3tK N2/xWLBfRXhfF7h4zc8aA6FL6BroGUsU5M1I8QvaJec/TAaZHqRMFaTlsKScHuN9 cu2kPko+YVEiN4/zF5rc2SeyZPbj8OctSCVMgEuy/9BLNVhxMfRTJnRTrLfvTzi5 csUiLEaSRkfhmfXfD4teQqBf2mKB1AwLXGJCrJHFLUH9LwcCFATwkPtxMP8KAqO3 8bM9lHoHRmKb/YsblQZQeZ7+OMPGRC7yZhsvJ6dn26I0g6YH8c3CAH480zzns48U 0RGPRDpNQZIfyQTIm1Ap5aChUQELOoUFENOmCq9GOsRQ/UHFEeEZsL8U9P2n+njF +VxW0cTwU3w0i5oSqJ6bdovByNWdBir2NdIr4k9v5YtK37plaN8j9siO1kqG5aCW O6P16xuT4YAzh0Hmxq2D+oVH5olCZQxa4p4eNhpFUGLdtg/GHQ43YNzGwOXxt0b6 nduevPoIXJv3uSaANVHAr3y8ecO2w/tAsE6WlB/EQxm9c6NcL+XejV7u/klzlhQz Ogncmso6qNwNDbqqgcQUz0p73/5BSA5Q6vQsP6SQIrkdlwXphgs8hBEy9XX41Ozt SqjTg2uu6+Q86zJvx3uT =75mL -----END PGP SIGNATURE-----
Note, if you cannot see this full output, use
Shift + PgUp and
Shift + PgDown to scroll the terminal window up and down, respectively. These are the hashes of the Bitcoin Core packages used to install Bitcoin Core. Let’s see one of these packages, get its SHA256 hash, and check that against the list we previously displayed:
## Get the Bitcoin Core package wget https://bitcoin.org/bin/bitcoin-core-0.11.0/bitcoin-0.11.0.tar.gz ## Get its SHA256 hash, which should be: ## 51ba1756addfa71567559e3f22331c1d908a63571891287689fff7113035d09f bitcoin-0.11.0.tar.gz sha256sum bitcoin-0.11.0.tar.gz
Look at the bitcoin-0.11.0-linux.tar.gz entry in the shasums.asc file you recently printed and notice that the hash is identical to the one you just produced by running sha256sum on the file you downloaded.
## Display the matching hash from the shasums.asc file ## which should be identical to the hash you just obtained grep 51ba1756addfa71567559e3 shasums.asc
This proves that you downloaded an identical copy of the file that the Bitcoin Core Lead Developer had on his computer when he created that file and cryptographically signed it.
Bitcoin wallets contain public keys, which are usually shown as Bitcoin addresses. The public in "public key" means that it's safe to share that information with other people, so it's safe to share your Bitcoin addresses with other people.
Bitcoin wallets also contain private keys. The private means that it's not safe to share your private key.
That is the best way to think about whether you possess some bitcoins. Do you have the private key? Then you have the bitcoins. Otherwise someone else has custody of the bitcoins on your behalf.
Cryptographic hashes and cryptographic signatures are arguably the two most important technologies for making Bitcoin possible. With hashes, we can verify that data hasn’t changed—which is essential for creating a secure ledger like the blockchain. And with cryptographic signatures, we can verify that someone who attempts to spend some bitcoins actually has the private key needed to spend those bitcoins.
Of course, you already knew Bitcoin was possible. From here on, we'll explore the precise methods and data formats. Go back to the main page to learn more.