QUESTION
What is the correct procedure to download the official bitcoin client, and validate it was signed by the developers, and not infected with any malware by a man in the middle?
ANSWER
Jeff Garzik signs every release with his GPG key (also here). You can find release announcements (such as this one) on the SourceForge.net Bitcoin development list.
To verify the signature on a release, obtain the key from the link above. Obtain the release announcement from the link above. Obtain the download from any source. Then point GPG at the release annoucement (or the signature block from it, including the BEGIN and END lines). GPG will ask what file you want to verify, pick any of the ones listed in the signature certificate. It will then tell you if the release is identical to the release Jeff Garzik signed.
Tweet