|
Title: Bitcoin core 0.1 not signed Post by: Amph on March 04, 2015, 08:29:08 AM this last version of bitcoin core is still not signed, under windows 7 it pop up the typical message of untrustworthy sign(unknown publisher bla bla)
9.3 was good in that regard Title: Re: Bitcoin core 0.1 not signed Post by: Amph on March 05, 2015, 08:03:07 AM so no one has the same problem? i'm ended up remove the check for the messagge
but the problem is still there Title: Re: Bitcoin core 0.1 not signed Post by: Blazr on March 05, 2015, 08:24:22 AM They are signed with PGP. We're the other binaries signed by the built-in Windows checker?
Here is how you verify the PGP signatures, though admittedly this is harder to do on Windows than Linux: -Download gnupg4win (or use the 'gpg' command if on Linux, comes preinstalled on most distro's). -Get a copy of lead developer Wladimir van der Laan's public key: https://bitcoin.org/en/development - open command line and import it with gpg --import <file> -Get a copy of the PGP signed hashes here: https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc -Open a commandline and verify it using gpg --verify <file> -If you get good signature, open the file with notepad and look for the name of your binary, the bit to the left is the hash of the file. -Calculate the hash of your binary, you can use fciv or openssl (openssl sha256 <file>) if you have it installed, and compare if against the hash in the signed message, if they match your copy is good. -For extra safety, verify you have the right key for Wladimir by sourcing it from multiple locations. Title: Re: Bitcoin core 0.1 not signed Post by: Amph on March 05, 2015, 02:23:34 PM yeah the other binaries are signed with Windows, you can check yourself for 0.9.3
i'll try your suggest, thank you Title: Re: Bitcoin core 0.1 not signed Post by: grue on March 05, 2015, 04:50:30 PM but they are signed
https://i.imgur.com/7Bs1CTI.png the actual executables are not signed, but that was always the case. Title: Re: Bitcoin core 0.1 not signed Post by: cakir on March 05, 2015, 05:12:01 PM Bitcoin-qt.exe is not signed. But setup is signed, so I think that's not a big deal.
Ps: I've checked only x64 versions; https://i.imgur.com/4ipi8Sq.png I used this tool: https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx Title: Re: Bitcoin core 0.1 not signed Post by: BillyBobZorton on March 05, 2015, 05:15:34 PM As long as the hash matches with the download from the official website you are good to go.
Title: Re: Bitcoin core 0.1 not signed Post by: Blazr on March 05, 2015, 07:15:30 PM As long as the hash matches with the download from the official website you are good to go. What if the website has been hacked and the hacker has replaced the download with one that contains a backdoor and then changed the hash? If you want to be sure your copy of a Bitcoin client hasn't been tampered with you really need to verify it is signed with a trusted key. Title: Re: Bitcoin core 0.1 not signed Post by: Newar on March 06, 2015, 01:57:02 PM Hashes are also published at https://github.com/bitcoin/gitian.sigs So the hacker would have to change those too. The release hashes are GPG signed https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc Another thing you can check. Title: Re: Bitcoin core 0.1 not signed Post by: btchris on March 06, 2015, 11:50:57 PM This version of HashCheck (full disclosure: this is my repo1) supports SHA-256, and can be used to check hashes on Windows: https://github.com/gurnec/HashCheck/releases (https://github.com/gurnec/HashCheck/releases)
Just download the .asc file from https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc (https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc) and/or https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc (https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc) into the same directory as the installer or archive, and double-click it. https://i.imgur.com/npbk0il.png Verifying the PGP signatures (as Blazr detailed) is more secure, though. What if the website has been hacked and the hacker has replaced the download with one that contains a backdoor and then changed the hash? If you want to be sure your copy of a Bitcoin client hasn't been tampered with you really need to verify it is signed with a trusted key. Agreed. [1] It's my repo, but all credits for HashCheck go to its original author, Kai Liu. I only added SHA-256 support. Title: Re: Bitcoin core 0.1 not signed Post by: Amph on March 08, 2015, 10:37:01 AM but they are signed https://i.imgur.com/7Bs1CTI.png the actual executables are not signed, but that was always the case. not with 0.9.3(or even older version), at least on windows 7 for everyone, i'm talking about the exe As long as the hash matches with the download from the official website you are good to go. yeah, but i don' like when that windows msg pop up, just a personal thing Title: Re: Bitcoin core 0.1 not signed Post by: Kimochii on March 10, 2015, 07:24:32 AM yeah, but i don' like when that windows msg pop up, just a personal thing Title: Re: Bitcoin core 0.1 not signed Post by: Cryptowatch.com on March 10, 2015, 10:06:00 AM yeah, but i don' like when that windows msg pop up, just a personal thing Just as a side note, with no intention of derailing the thread completely. You might want to look into using a Linux distro as a desktop OS. In general security is better than on windows, and you're supporting the same philosophy that underpins bitcoin, ie. freedom and choice. For linux you also have the possibility of looking at the source code and many do daily, whereas with Windows, you just have to trust a single company. Updates are more frequent for linux-distros. As for user friendliness, linux has really come a long way these days. Malware and other nasties is mostly aimed at platforms where the most users are, so that would be Windows. In addition to the newest linux distro's being user-friendly, it's quite possible to look under the hood, and thinker with everything you want to adjust, *nix variants are highly customizable. So if you don't mind the learning experience and jumping into the unknown (assuming you're unfamiliar with linux), I can greatly recommend trying it out. There are even installers meaning you can install linux directly from windows, without a problem, and even run the operating systems in parallel. If you don't want to get rid of windows, but just want to try it out, you could as well install a virtual machine like wmware or similar, and try it out that way, or you could get a cheap VPS to learn to work on the command line. /my 2 cents. |
