Raspibolt: replacing Bitcoin Core with Knots

If you have a DIY node built with instructions from RaspiBolt and wish to patch it with fixes that do not relay SPAM transactions, here's a quick guide to replace Bitcoin Core with Bitcoin Knots.

This guide is assuming you already built your node with Bitcoin Core. Using the Bitcoin client chapter in the original instructions, we're going to replicate analogous steps to download, verify and install Knots.

Preparations

• Login as “admin” and change to a temporary directory which is cleared on reboot.

$ cd /tmp

• Get the latest download links at bitcoinknots.org/#download (ARM Linux 64 bit), they change with each update.
• Note: If you have an x86_64 or another architecture, pick the right one. Notice aarch64 below

$ VERSION="25.1.knots20231115"

# download Bitcoin Knots binary
$ wget https://bitcoinknots.org/files/25.x/$VERSION/bitcoin-$VERSION-aarch64-linux-gnu.tar.gz

# download the list of cryptographic checksum
$ wget https://bitcoinknots.org/files/25.x/$VERSION/SHA256SUMS

# download the signatures attesting to validity of the checksums
$ wget https://bitcoinknots.org/files/25.x/$VERSION/SHA256SUMS.asc

Checksum check

• Check that the reference checksum in file SHA256SUMS matches the checksum calculated by you (ignore the “lines are improperly formatted” warning)

$ sha256sum --ignore-missing --check SHA256SUMS
> bitcoin-25.1.knots20231115-aarch64-linux-gnu.tar.gz: OK

Signature check

Bitcoin releases are signed by several individuals, each using their own key. To verify the validity of these signatures, you must first import the corresponding public keys into your GPG key database.

• The next command download and imports automatically all signatures from the Bitcoin Core release attestations (Guix) repository

$ curl -s "https://api.github.com/repositories/355107265/contents/builder-keys" | grep download_url | grep -oE "https://[a-zA-Z0-9./-]+" | while read url; do curl -s "$url" | gpg --import; done

Expected output:

  > gpg: key 17565732E08E5E41: 29 signatures not checked due to missing keys
  > gpg: /home/admin/.gnupg/trustdb.gpg: trustdb created
  > gpg: key 17565732E08E5E41: public key "Andrew Chow <andrew@achow101.com>" imported
  > gpg: Total number processed: 1
  > gpg:               imported: 1
  > gpg: no ultimately trusted keys found
  [...]

• Verify that the checksums file is cryptographically signed by the release signing keys. The following command prints signature checks for each of the public keys that signed the checksums.

$ gpg --verify SHA256SUMS.asc

• Check that at least a few signatures show the following text.

> gpg: Good signature from ...
> Primary key fingerprint: ...

Installation

• If you’re satisfied with the checksum, signature and timestamp checks, extract the Bitcoin Core binaries, install them and check the version.

$ tar -xvf bitcoin-$VERSION-aarch64-linux-gnu.tar.gz
$ sudo install -m 0755 -o root -g root -t /usr/local/bin bitcoin-$VERSION/bin/*
$ bitcoind --version
> Bitcoin Knots version v25.1.knots20231115
> [...]

Restart Bitcoin Knots

sudo systemctl restart bitcoind.service

NOTE: If you have any options in your bitcoin.conf or bitcoind.service that were added in v26 and do not exist in v25.1, like v2transport for BIP324, then Bitcoin Knots won't start. If that happens, investigate your logs, configuration and service file:

sudo systemctl daemon-reload
sudo systemctl restart bitcoind.service

Verification of bitcoind operations

After rebooting, “bitcoind” should start and begin to sync and validate the Bitcoin blockchain.

• Wait a bit, reconnect via SSH and login with the user “admin”.
• Check the status of the bitcoin daemon that was started by “systemd”. Exit with Ctrl-C

> * bitcoind.service - Bitcoin daemon
>      Loaded: loaded (/etc/systemd/system/bitcoind.service; enabled; vendor preset: enabled)
>      Active: active (running) since Thu 2021-11-25 22:50:59 GMT; 7s ago
>     Process: 2316 ExecStart=/usr/local/bin/bitcoind -daemon -pid=/run/bitcoind/bitcoind.pid -conf=/home/bitcoin/.bitcoin/bitcoin.> conf -datadir=/home/bitcoin/.bitcoin (code=exited, status=0/SUCCESS)
>    Main PID: 2317 (bitcoind)
>       Tasks: 12 (limit: 4164)
>         CPU: 7.613s
>      CGroup: /system.slice/bitcoind.service
>              `-2317 /usr/local/bin/bitcoind -daemon -pid=/run/bitcoind/bitcoind.pid -conf=/home/bitcoin/.bitcoin/bitcoin.conf > -datadir=/home/bitcoin/.bitcoin
>

Summary

As you can see it is easy to drop-in replace Bitcoin Knots in RaspiBolt to start using a version which has bugfixes related to SPAM vulnerability: CVE-2023-50428.