Title: what should be md5sum of bitcoin-0.8.1-linux.tar.gz ? Post by: cosurgi on May 10, 2013, 09:29:14 AM Hi,
I just downloaded an update for bitcoin-qt client from bitcoin.org. The download is redirected from bitcoin.org to http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/bitcoin-0.8.1-linux.tar.gz/download I am worried that sourceforge.net might have been hacked, and nobody noticed yet. I did a search for md5sum of bitcoin-0.8.1-linux.tar.gz, but couldn't find it anywhere on the official site. Therefore this binary is not to be trusted. I am afraid that if I launch it, it will steal all my coins. on my side the md5sum is Code: $ md5sum bitcoin-0.8.1-linux.tar.gz But I prefer that one of developers confirm this (not by redownloading it from aforementioned address, since it might have been compromised). Bitcoin developers: could you implement some method of using digital signatures on your released binaries? Debian for example has pgp keys which authorize a package repository. I could resort to recompiling myself, and first comparing source code between my current version and a new one, to make sure that no malicious code got in. But we are talking about user-friendly bitcoin. So I am not going to do this, because bitcoin should not be only for people who can read and write code. We need some security on released binaries. Better safe than sorry. This is why I posted this question. And I really do not intend to offend developers. I am only asking, because I want to be safe. Title: Re: what should be md5sum of bitcoin-0.8.1-linux.tar.gz ? Post by: wumpus on May 10, 2013, 09:53:36 AM If you use sha1sum or sha256sum, you can verify those hashes by comparing them to the following,
http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/SHA256SUMS.asc/download http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/SHASUMS.asc/download They are signed with Gavin's GPG key. For example the following checks out here: Quote -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 6d7f023a9df1a436c51de83f7cd751f162be9b4fb1c06da05545f9fba7cb2a98 bitcoin-0.8.1-linux.tar.gz dddc563af906e766900868970fd2146a1cad792fd7089f034d46ad0e838ce99f bitcoin-0.8.1-macosx.dmg 2d447daad6cba12a4dd29de4ffbbd00c5634f45818d39cc12ce27ad964c905a6 bitcoin-0.8.1-win32-setup.exe 08abe51623361df111bad5722f167503f01bb016d728bd1ebcf83069636c9fde bitcoin-0.8.1-win32.zip -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQIcBAEBCAAGBQJRRkNCAAoJECnZ7msfxzDBPC0P/A/vk81jj0SpWIwMQkO3+Agt A/lNcBZeBZI3RxirBmbJU+8yUoMI4mlMqTMc0FdXoNFhkUjo5O/v3xZy/FjCYEu0 HgOO71KUc4txNkdP1HIkODnpqr2hoqKf1E8erZwXr7GyEGyBckQN0b8ewjAO9Mpg 1xL6izQceZGi32tQuMp+MY86l2eaDiT1CvvJnobJ/bEZgVEwwmOp8fFDCXi1aQ7Z aYkv5XuKhNx5cHokva+WqoLbk5Z2QHg72IhBR1NkNXWEVz/RXfaf1i9Xmx3G/Use VtifyXrGuzv784gohnfYaarPEbjByK2QW/chKif5G3N6ZdFgskl1Ov52ugcaKIAS ad8QUJLVR3SSoQ1ohIcBLCtc7vTjOyBm+JW0hd7LH9tOucPY1awQ3RLlFbsMvxXS ZBeCOV/JzcOZiAF2iYlzi/VL46c+kqhqd5N0QqJho3TSkiLd8zCv6CB/7ECNDJxF XATgjfAfLuJmypq9QVpqbUW+Nlnt0sFRzo1YH6xgqRrptW3VcGn5gq3+Uda74i6W +KZOZa45wlrEB31HrPz3Hssi3Mkr0BomsdoAuJu8iNmaCSjMYwxcdrXpMn0qabjU ls+o16Jk3eg8Vsc2imzjFlI3W427tcY4yuF1W++NBbeLAvRHisIOgQkRmS37i2WZ on9c/1GJ+slPJ4RCcCyu =eLo8 -----END PGP SIGNATURE----- Title: Re: what should be md5sum of bitcoin-0.8.1-linux.tar.gz ? Post by: cosurgi on May 10, 2013, 10:11:01 AM Great thanks! I will check this shortly.
Can you remind me how I can verify Gavin's signature, or I need to find this myself? :) Title: Re: what should be md5sum of bitcoin-0.8.1-linux.tar.gz ? Post by: wumpus on May 10, 2013, 11:51:17 AM Great thanks! I will check this shortly. First, fetch and import Gavin's key.Can you remind me how I can verify Gavin's signature, or I need to find this myself? :) Quote $ gpg --search-keys 1FC730C1 Then verify the .asc:gpg: searching for "1FC730C1" from hkp server keys.gnupg.net (1) Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com> 4096 bit RSA key 1FC730C1, created: 2011-12-15 Keys 1-1 of 1 for "1FC730C1". Enter number(s), N)ext, or Q)uit > 1 Quote $ gpg /tmp/SHA256SUMS.asc gpg: Signature made Sun 17 Mar 2013 11:27:14 PM CET using RSA key ID 1FC730C1 gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>" Title: Re: what should be md5sum of bitcoin-0.8.1-linux.tar.gz ? Post by: cosurgi on May 11, 2013, 08:02:05 PM I did this, and I get a warning :)
Code: gpg: WARNING: This key is not certified with a trusted signature! I'm not surprised. Because I did not verify this key in any way. Do you have any hints on how to verify it? :) |