Gavin Andresen - 2012-03-06 16:02:40

@s{quotedtext} @s{quotedtext} That is always a risk, which is why next to the downloads there is a gpg-signed SHASUMS.asc file.

To check the integrity of the download you should:

+ Check the signature on the SHASUMS.asc file:
Code:
$ gpg --verify SHASUMS.asc
gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"
+ Make sure the checksum for the downloaded file matches the checksum in the SHASUMS.asc file:
Code:
$ shasum bitcoin-0.6.0rc2-macosx.dmg
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg
$ grep macosx SHASUMS.asc
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg