It works well for me  Actually, there's a shortcut to this! Just get your original message, Then remove the address from the message ( copy this): -----BEGIN BITCOIN SIGNED MESSAGE-----
I'm Lulucrypto on Bitcointalk. And normally, I'm Luluwebmaster. I sign this message at 9 Aug 2019.
-----BEGIN SIGNATURE-----
IAIAMSyjMV62EttLm3HltwmQK0HEchc80OfXKJGPEo1pIvq/st/kgWvLmREfByk3/TSbdrWLmfzoExivGSxzTOo=
-----END BITCOIN SIGNED MESSAGE----- And paste to https://brainwalletx.github.io/#verifyIt'll automatically recognize the legacy address used for that signed message. Because either way, the message was verified using the address: 1NtMnD5BQrRvVeHDk4HXaGvXiVkUuTjhXf, not bc1q7qgn8zw75n26hd60a8ay42482mukdjrdv3cyp7. But both can be derived from the same prv key, so there wont be a serious problem with future verification. The only difference is: those extra steps are some kind of proof that the result legacy address was based from your SegWit address. Indeed, thank you for sharing, I was not aware of this method. So I allowed myself to quote your message and more in my first post |
|
|
|
Hello please to verify, and to be able to secure my account. -----BEGIN BITCOIN SIGNED MESSAGE-----
I'm LUCKMCFLY, this is my account on bitcointalk.org and today is 04/11/2019.
My profile: https://bitcointalk.org/index.php?action=profile;u=1153977
-----BEGIN SIGNATURE-----
1GvzGav5t19x3ftEXsjyrSoiYAj9S3tng2
IB8vyj5K+tcU9pQZDCs03OdzJHlfjQnT062bmXPRRZg1qi5pVtd8ZeaabK8UgmyvsEXKoY7lic9ZpLxzf4A1s7s=
-----END BITCOIN SIGNED MESSAGE----- Thanks in advance. >-------------------------------------------------------- > Quoted and Verified ( Screenshot ) and Archived. >-------------------------------------------------------- > How to post a signed message ( Please respect format ). > If you don't want to be verified by me, please add "no-bot" in your message. > Addresses currently verified : Bitcoin ( P2PKH & Bech32 ). > Note for Modo and Admin : If you receive message from "bot_avsignatures" or "Lulucrypto" to edit or remove this post, it's not me. Please don't accept request. >-------------------------------------------------------- > This is a auto response send by the "Auto Verify Signature Bot". >-------------------------------------------------------- |
|
|
|
Hello à tous, Un petit point sur le bot s'impose ( Dans ce post, je vais faire référence à des points évoqués sur le sujet FR et EN ) ! J'ai donc eu l'occasion de discuter avec Theymos sur la sécurité du bot. Au final, il ne voit pas l’intérêt d’empêcher le bot de supprimer ses messages. Dans le sens, ou, il y a déjà des personnes qui s'occuper d'archiver les posts. En plus de ça, si besoin, il est capable de restaurer un message supprimé jusqu'à deux ans en arrière. Donc partant de la, il faut savoir que désormais, j'archives tous les messages du sujet en question. Cet archive est retrouvable facilement ici : https://signatures.bitcointalk.luc-mergault.fr/En plus de servir d'archive, ce site permet donc d’effectuer une recherche très basique parmi tous les messages enregistrés sur le sujet. Histoire d'assurer un peu plus la fiabilité du bot et plus globalement de tous les messages du sujet, je propose désormais un petit script très simple, qui permet à celui qui souhaite l'utiliser d'être alerté par mail en cas de supression / éditon du sujet ou sont postés les adresses. Ce script permet donc à n'importe qui d'aider à garantir la fiabilité des messages de ce sujet ( L'idée étant que si vous recevez une alerte, il est de bon sens d'en alerter le forum ). A noter que la détection des messages supprimé n'est pas encore en place sur le script.En plus de servir comme script d'alerte, il permet aussi d'archiver tout les messages, et si vous le souhaitez rendre cet archive public ! Pour ceux qui souhaitent l'installer ( Très simple ) : https://github.com/luluwebmaster/bitcointalk-auto-verify-signatures-archive-and-alertSi vous installez le script, n'hésitez pas à fournir le lien permettant de consulter les messages archivés, je me ferais un plaisir de le répertorier dans le premier post ! D'ailleurs j'en ai profité pour l'installer sur la machine de Cryptos-Currencies.Com : - https://signatures.bitcointalk.cryptos-currencies.com/A noter que ce script n'est pas figé, et des améliorations doivent encore êtres effectuées ( Notamment sur chargement des messages archivés ).Il est désormais possible de ne pas faire vérifier ses messages par le bot, simplement en ajoutant "no-bot" quelque par dans votre post. En plus de ça, le bot prend en charge les adresses Bech32 en utilisant cette méthode : - https://bitcointalk.org/index.php?topic=5198585.0Les adresses P2SH elles, ne le sont pas encore, mais le bot les détectes. Il s'occupe de citer et archiver les messages contenant des messages signé a partir de ce type d'adresse. Voilà pour ce "petit" point ! Si vous avez d'autres propositions, n'hésitez pas ! |
|
|
|
Gratz nice idea. It is a nice turn around until we have some standard for segwit addresses signatures Long ago I made a topic about this subject. The situation is still the same. Only Electrum made it own standard for segwit signed messaged, this is why you cannot verify those in any other wallet https://bitcointalk.org/index.php?topic=2885058.msg29647827#msg29647827Thank you for sharing, I was not aware of this topic
How to verify SegWit signature with Brainwallet ? And that's all for this little tutorial  Great guide/tutorial thanks I would add to that only one warning. Brainwallet is dangerous to use because human mind is not that complicated in terms of creating passwords (brainwallet). Because of that many many many brainwallets got hacked and will be hacked in future because people still using them. Um, I understand that Brainwallet is dangerous for the creation of address, but in terms of verification, there is no problem if I'm not mistaken ? |
|
|
|
Hello ! Having put this method on my bot to check the Bitcoin signatures, I thought it would be useful to take the opportunity to share this method to everyone ! The purpose of this method is to convert the Bech32 address to a Legacy address. For this example, I will use my signature.We agree that if I try to check my signature with the address Bech32, it does not work.  So to start, paste your Bech32 address here and decode it : -> https://slowli.github.io/bech32-buffer/With my example, the returned data is "f0113389dea4d5abb74fe9fa4aaaa756f966c86d". Now, go to this page, and paste the decoded data in the "Converts a BitCoin Hash160 (in Hex) to a valid BitCoin address." input and convert : -> https://bitcoinvalued.com/tools.phpAt this point, I copy the address "1NtMnD5BQrRvVeHDk4HXaGvXiVkUuTjhXf". And ... It's all, now, use the copied address in signed message like this : -----BEGIN BITCOIN SIGNED MESSAGE-----
I'm Lulucrypto on Bitcointalk. And normally, I'm Luluwebmaster. I sign this message at 9 Aug 2019.
-----BEGIN SIGNATURE-----
1NtMnD5BQrRvVeHDk4HXaGvXiVkUuTjhXf
IAIAMSyjMV62EttLm3HltwmQK0HEchc80OfXKJGPEo1pIvq/st/kgWvLmREfByk3/TSbdrWLmfzoExivGSxzTOo=
-----END BITCOIN SIGNED MESSAGE-----
You can now verify your signed message with Brainwallet :  Big thanks to @pooya87 and @hatshepsut93 who helped me understand how to set up this method :
-> https://bitcointalk.org/index.php?topic=5194216.msg52815008#msg52815008
-> https://bitcointalk.org/index.php?topic=5194216.msg52817898#msg52817898This post in other Language :And that's all for this little tutorial |
|
|
|
Just another note here, when the bot is quoting a message which could not be verified, you should post a warning like ( failed to verify), otherwise everyone can stake a fake addresses and possibly scam people.
I guess you're talking about this message. Currently, the addresses "bc1" are not checked by the bot, it deals only with quoting and archiving. Verification of these signatures is expected shortly.
Hello everyone, This post is a translation of my French post.A small point on the bot is needed ( In this post, I will refer to points raised on the subject FR and EN ) ! So I had the opportunity to chat with Theymos about bot security. In the end, he does not see the benefit of preventing the bot from deleting his messages. In the sense, or, there are already people who take care of archiving the posts. In addition to that, if needed, he is able to restore a deleted message up to two years back. So starting from there, you have to know that from now on, I archive all the messages of the subject in question. This archive can be found easily here : https://signatures.bitcointalk.luc-mergault.fr/In addition to serving as an archive, this site allows you to perform a very basic search among all messages recorded on the subject. History to ensure a little more the reliability of the bot and more globally of all the messages of the subject, I propose now a small very simple script, which allows whoever wishes to use it to be alerted by mail in case of suppression / edit the subject or are posted addresses. This script allows anyone to help ensure the reliability of the messages on this topic ( The idea is that if you receive an alert, it makes sense to alert the forum ). Note that deleted message detection is not yet in place on the script. In addition to serving as an alert script, it also allows you to archive all messages, and if you want to make this archive public ! For those who wish to install it ( Very simple ) : https://github.com/luluwebmaster/bitcointalk-auto-verify-signatures-archive-and-alertIf you install the script, do not hesitate to provide the link to consult the archived messages, I would be happy to list it in the first post ! By the way I took the opportunity to install it on the machine of Cryptos-Currencies.Com : - https://signatures.bitcointalk.cryptos-currencies.com/Note that this script is not fixed, and improvements must still be made ( Especially on loading archived messages ).It is now possible not to have his messages checked by the bot, simply by adding "no-bot" some by your post. In addition to that, the bot supports Bech32 addresses using this method: - https://bitcointalk.org/index.php?topic=5198585.0The P2SH addresses are not yet, but the bot detects them. It takes care of quoting and archiving messages containing messages signed from this type of address. So much for this "small" point ! If you have other proposals, do not hesitate !
Hello everyone! Little update of the project Today, I have more or less finished the public bot ( Available on Github ). If you have installed it, I invite you to update it ( Please note that the DB will be reset given the structural modification of it for messages ). I would like to recall an important point, if you have a VPS or a machine running H24, do not hesitate to install it, and share the link of archived messages, it would be a big plus for the security of the project ! And if you have installed the script, the same, do not hesitate to share the link, it would be great Now, the bot also detects deleted messages, and you alert if you want ! I took the opportunity to detail a little more the README Github, so that it is more understandable ( If you have a question, do not hesitate ). Also, tonight, I'll take care to update the first post of this topic to provide all the missing info since launching ^^ Edit : First post edited ! |
|
|
|
Is there any chance of you putting this bot on Github? It would be good to see other people being able to suggest modifications and even better if more than one instance of the bot could be archiving these entries. I think that something like this which is not-for-profit would benefit quite a lot from being made open source.
The bot in its current state will not be made public ( The code is too rough ). However, I am preparing a script ( Bot ) that everyone will install, and that will help with the security of the checks. |
|
|
|
Hello, Yes I saw that, thank you for the report. I'm still working on the project, new ones should come soon ... |
|
|
|
I read a while back about a scammer who years ago lost his edit-privileges on the forum, to stop him from removing evidence. If theymos can take away edit and delete power from your bot (and publicly confirms it), it can offer a very nice service.
Yes, I understand the problem, I work to propose a solution soon |
|
|
|
@lulucrypto
Comme déjà indiqué sur le thread de staking, le lien archive n'est pas fonctionnel.
Le message est complètement inutile, ainsi que le screen, en l'absence de ce lien.
Belle réalisation sinon.
Oui, merci pour la précision, je n'ai pas encore su la raison exact de pourquoi il n'y avait pas le lien, mais si ça vient à recommencer, je pourrais cette fois-ci la connaitre Je ne sais pas si c'est la raison du plantage de l'archive, mais pour archiver souvent https://archive.is/ ou https://archive.fo/ rame/plante quand même assez souvent, il faut parfois s'y reprendre plusieurs fois. Est-ce qu'il y a une autre alternative valable ? C'est une idée, il faudrait que l'erreur se reproduise afin que je puisse confirmer ça |
|
|
|
En tous cas t'as intérêt à faire gaffe à tous les mails et messages que tu reçois dorénavant car tu vas vite devenir une cible de choix lorsque ton bot aura archivé plusieurs dizaines d'adresses. Il suffira aux hackers de supprimer les messages de ton bot ou de les corrompre en les éditant pour que des dizaines de comptes se retrouvent sans preuve de possession d'adresse fiable.
Oui c'est pour ça que je suis entrain de voir avec Theymos s'il est possible de changer un peu les perm's du compte justement. A suivre |
|
|
|
Hum, disons au cas ou le site ne fonctionne plus quoi  Après oui c'est loin d'être d'une grande utilité ( Déjà le cas pour le post ) ^^ |
|
|
|
The links to archive.fo and imgur will be very hard to find back without the post. But indeed, I archive messages. See this link for the posts I have on that thread. It's not automatically updated yet, but it will be once I have the time to test it a bit more. I'm not sure how long I'll do this though, staking an address is meant to be used years later, and I will run out of space at some point. Yes it is a good thing that you archive the messages too. For my part, all messages posted on the topic dedicated to "Stake" are also saved, and will soon be publicly available on a dedicated page. An easy solution would be to move the entire "stake addy"-thread to Auctions, so that users can't edit or delete their posts anymore. Ideally, the bot account should not be able to delete its messages, and can only edit its messages once ( Or for a limited time, for example ). But already if it was possible to make sure that he can not delete his messages, it would be a very good point ! Thank you for that, I understand now ! I'll see what I can do with that |
|
|
|
Tu dis que tu as utilisé des API, tu as utilisé quoi comme API stp?
J'ai utilisé une API, celle de Imgur pour l'upload du screen sur leur serveur. Autrement, j'utilise le package request pour scrapper ( Rester à jour ) des derniers messages postés sur le sujet Par contre quel est l'intérêt de prendre un screen ?
Tu génères le lien du message vérifié avec Brainwallet. En plus un screen c'est falsifiable. Une archive a beaucoup plus de crédibilité qu'une image.
Le screen est une "preuve" en plus que la signature est correcte ( Quelque chose que j'ai déjà vu revenir dans certains posts ), après je suis d'accord que ce n'est pas forcement le plus utile, mais disons que je pouvais le faire D'ailleurs c'est vrais que je n'y avais pas pensé, je vais voir pour faire une archive du lien Brainwallet en plus de tout ça ^^
J'ajouterai que la vérification des messages signés est en fait totalement inutile.
Il suffit de la faire lorsque la personne veut prouver l'appartenance du compte. Donc le jour où le message enregistré devient utile.
Lors de l'enregistrement la valeur ajoutée de la vérification est nulle. Seul l'auteur devrait le faire pour s'assurer que la signature a "bien fonctionné".
C'est pas totalement faux, mais apparemment ça fait partit +/- du process de vérification, donc dans le doute j'ai préféré garder ça |
|
|
|
Brainwallet le fait il me semble.
Pas à ma connaissance non Sinon site web non, mais electrum le fait. Tu dois pouvoir interagir avec l'exe en CLI.
Ouais si vraiment je ne trouve pas d'autre solution, peut-être que je ferais ça, à voir ^^ |
|
|
|
By the way, I take this opportunity to ask you something, do you know a website to verify the signatures created by addresses other than addresses Legacy ( Segwit ? ) ?
i would drop using these silly online tools and use a decent library but here is a workaround in case you were interested: (first a simple explanation of what is "message signature verification") an ECDSA signature is two numbers known as r and s. the math behind it has some characteristics that allows you to recover possible public keys from signature by knowing the message that was signed. so the first step is to base64-decode the signature, take r and s out, hash the message and calculate public key(s). the second step is to convert that public key to an address and then check it with what user gave you. knowing that you can easily convert a bech32 address to a legacy address* to fool the "silly" tool to pass the second step. all you need is a bech32 decoder example https://bitcointalk.org/index.php?topic=996318.msg52763726#msg52763726bc1qarr0w42t3z7xtrcgwxh6kcckzq47tme5xfnj4n -> e8c6f7554b88bc658f0871afab6316102be5ef34 -> 1NDp7v4M1fueJDob7mrnJktn1SnT4yramy now the silly tool passes the verification! you can't use this for addresses starting with 3 (nested SegWit) because they are hash of a hash of public key (it is more complicated than that, just simplifying it) so you have to have the public key and can't use what i explained above. * node that this is a workaround and should not be done for anything else. the decoding is done by knowing bech32 encodes "OP_0 <hash160(pubkey)>" and base58 encodes "version <hash160(pubkey)> checksum"
how about an "opt-out" option so that user could post a string (eg. nobot) in first line and get the bot to ignore the message. Hello, Thank you for your very interesting message. To be honest, I did not necessarily understand what to do to perform the "conversion" address. Would you be able to give me an example of your idea in JavaScript ( Or other language ) for example ? And for your suggestion, I take note, it's a good idea for those who do not want the application to be processed by the bot. Thank you very much ! |
|
|
|
Hello, Thank you for your interest about the project To answer +/- in order: 1) I could have used a package to directly check the signatures, but it did not fit the idea I wanted. Namely, allow everyone to visually check (Screenshot), and provide the verification link. 2) The purpose of this bot is not necessarily to replace the users who help with the checks. But as you said, rather serve as a complement ( Everyone is free to continue to perform verification ). 3) Now, I understand the problem of hacking, and I will see to try to find a solution to this. 4) The idea of having multiple instances of the bot is interesting, but as it was said, it becomes complicated to manage double posts / who should post / etc ... Edit : For information, the archive contain the original post and the quotation ( Exemple : https://archive.fo/9DYWr ) The project is clearly not over, so expect changes to come |
|
|
|
|
Hello,
I am interested.
My telegram : @Luluwebmaster
|
|
|
|
Hello, I take advantage of the launch of the bot to confirm the fact that the account of the bot ( bot_avsignatures ) is my account. -----BEGIN BITCOIN SIGNED MESSAGE-----
I'm the owner of bot_avsignatures account. I sign this message at 19 October 2019.
-----BEGIN SIGNATURE-----
1EiK8BgSbMsSuBKafee8DwSQwshVhnBYgP
H7tBlOvIEGjR3Vibn3mR97xybnphtlQXfUM66W1E6I4aEDaLIj7PaK+4ZXyV9g8JSbGw5611+AfF134bQLnmyWY=
-----END BITCOIN SIGNED MESSAGE----- |
|
|
|
Hello, Thank you 1) Currently I use "-----BEGIN BITCOIN SIGNED MESSAGE-----", "-----BEGIN SIGNATURE-----" and "-----END BITCOIN SIGNED MESSAGE-----" to found user request. 2) It's pretty simple, any new address ( Not registered in the database, and detected as a signed message ) is saved as a request. From the moment when another user posts a message with this address ( Quote ), then the request is detected as treated ( I am sure that it is not necessarily the best way, it is possible that it changes thereafter ). 3) For the detection, it takes about 5 to 10 seconds, and for the verification process, it takes +/- 30 to 60 seconds ( It is very variable ). 4) Oh, ok thank you, and for "P2SH" addresses, is it possible ? Edit : And for information, currently the bot can't verify signatures, he is currently saving all the messages already sent on the subject ( +/- 10 000  ). Edit 2 : A screenshot of the console currently  |
|
|
|
|
Show Posts
