Security issue in bdk_prove_coin_ownership() has been found.
It only recognizes when the bitcoin_validate_message() successfully runs but it didn't recognize weather the message is valid or not, in version 0.0.42 this is updated and published.

I've uploaded example #3 it demonstrates the bdk_prove_coin_ownership() function Previously known as: bdk_login_with_coin_address() function

Try it out let me know what you think.
http://www.bitcoindevkit.com/examples/example3.php

 I uploaded v0.0.40 (Comes with the shopping cart functions)



Still working on the "remove product id from cart" function will come in the future.

You can always contact me by skype or email.

Glad to hear it is working now, Cheers mate!

I was having a problem with my public vps on my script and the issue seemed to be in jsonRPCClient.php as something was going wrong with credentials(The solution in my case was to have the BDK connect through the public ip address). Was this the similar issue to yours? I'd be happy to see your successful code and merge it into the scripts if you don't mind.

Note: I've included the time it took me to make the entire page for that particular example (including start to finish with testing and lite pen-testing)

Entire Examples List: http://www.bitcoindevkit.com/examples.php

EXAMPLES LIST DESCRIPTIONS (More to come as I make more examples)
I tested the script with out the 5 second sleep on it and its almost instantly pops up the address.
(Total Hours Accumulated: 1) Example1: Generate a new address: http://www.bitcoindevkit.com/examples/example1.php

(Total Hours Accumulated: 2.5) Example2: validate an address: http://www.bitcoindevkit.com/examples/example2.php


Coming Soon
*Shopping Cart Example (Total Hours Accumulated: 3)
*Login With Bitcoin Address/Verify Address/Edit account with address verification/etc
*

NOTE TO SELF AND OTHERS: it seems that Bitcoin wasn’t accepting credentials from 127.0.0.1 form xenlands VPS and the solution was to set the ip address to the external address, but also to config Bitcoin to ONLY allow from that external address.... Odd.

Actually I think I found a VPS I could use to feature this library (and get it off the ground). Sit tight everyone examples on the wayyyyy!!

UPDATES
While setting up my VPS for the BDK library I noticed that the includes doesn’t work so smoothly (compared to my local dev computer), I changed it thinking others might have had the same issues.
Changes have been updated to version 0.0.39 and are already published



UPDATES:
*(Soon to be added in 0.0.40) Added function bdk_start_session_receipt() (To help assist users with a consistent proven state full method for storing product ids with out a database.)
*(Soon to be added in 0.0.40)  bdk_get_session_receipt_information() (Retrieve information based on the given information -- Mostly used for displaying items in the shopping cart)
*(Soon to be added in 0.0.40)  bdk_add_to_session_receipt() (To add product ids to the state full function)
*(Soon to be added in 0.0.40) bdk_remove_from_session_receipt() (To remove product ids from the state full function)
*(Soon to be added in 0.0.40) bdk_checkout_session_receipt() (To convert the session receipt information to be processed into the bdk_generate_receipt() function

The issue was deffinatly mine due to me thinking I set my encoding correctly(referring to UTF8) this is what i thought was happening on my site
I found out my database and the website were mismatching encodings one was UTF8 and the database was accidentally set to something other then UTF8 (i think it was some other unicode)

So when the other person agrees and wants to sign the contract they are presented with a textbox in UTF8 encoding but supplied from non utf8 encoding from the mysql database and I believe essentially that when clipboard copies the text to the Bitcoin client it isn't UTF8 as expected and thus the Bitcoin client signs a valid message and when the website goes to check the validity it isn't valid becuase of the encoding mismatches.

I think my end seems to be working now that I have consistent encoding, I hope (or its just a fluke)

Sounds like you need a way to prove that the penny bids are legit which requires a Web of trust but the whole integration of everything would have to be done correctly for people to take the validity seriously.

BDK login with coin address will not only display an encoded string it will look like the following...
This is to prevent any ambiguities and to promote users to sign only Clear and concise messages.

This update will be included in version number 0.0.40

Which hash do you think a Non-technical user will pick?
http://www.youtube.com/watch?v=TOP6gXidRLU&feature=youtu.be

If you think the formatted one -- its impossible for that to match as the formatting characters wont work
if you think the non-formatted one then yes becuase its the path of least resistance  the only one that would website would "accept" as valid, In my opinion you are correct.

I'll drop it after if this video doesn't explain it but if you want a realworld example for you to play with check out my WOTCoin project that will show you that there is a problem with multi-lines and formatted texts https://github.com/Xenland/WOTCoin

All i know is that if someone explains this differently in about a year or so when people start to heavily use the "sign message" box and someone else gets the credit I'll be very upset but w/e -- Aslong as Bitcoin improves what ever it takes for how ever long it takes to bash the issue it will succeed I just hope non-techies aren't hashing evil contracts and signing their lives away before it is realised. Just remember that "theory" ISN"T "Practicality" Good day mates

I believe it can just ONLY through the command line but the issue is non-techie users so its presumed they will use the GUI interface which doesn't recognize new lines and formatting correctly.

So essentially a website will check the signature as the message with newlines and formatting while the GUI on the client side signs differently and will not validate on the website end.

Gmaxwell is advising for users to sign digests (reffering to the github issues page suggestion), while the Bitcoin client advises NOT to sign anything vague.

So the solution is for users to copy and paste the contract and create the required digest(lets just say sha256 to keep the example simple).
So the non-technical user is following a "how to sign messages" guide and is advised to Copy and pastes the contract into a sh256 digest. So the user copies the sha256 digest and pastes it into the website.

The website attempts to verify the signature with the contract and it doesn’t work? OH why not? it doesn’t work because the contract contained formatting, this formatting isn't non ascii

The Current solution?
*We provide a download link of the contract so the non-technical user can sha256 correctly that way( non-technical and technical users don't like downloading stuff from websites as it could contain viruses but this isn't a huge problem for technical users)

*OR we provide a one-line input box (The issue with this is a one liner contract that is 5000 characters long isn't easy on the eyes)

The current Problem?
The download link solution aside I will discuss the one-line input box dilemma, In order for anyone to read a 5000 character contract they will not scroll the one box line as they need to read, NOR will they copy the one line box and format it them selves in notepad just to make it easy on the eyes. So the website as a convince provides an easy to read format and a one box line but the issue with this is that the website could provide the easy to read format a "good looking on the eyes and the wallet contract" but the one liner could provide a "bad looking contract" the user is forced to sign the one liner because we can't sign the formatted nice looking contract. So the non-techincal user reads the how to guide and is instructed to copy the "bad contract" one liner and sha256 digest it and then sign the digest and then copy the digest and paste it into the website.

We need a way to encode the messages with in bitcoin if the great gmaxwell still doesn’t understand I will have to make a demonstration video because I know this is an issue as I'm dealing with right now as a social engineering flaw and I had to cancel a project (not blaming anyone as fault But this IS an issue if bitcoin wants to use contract signing as "feature)
Or perhaps my solution isn't a great solution but there IS a problem.....

I'm strictly talking about non-technical users. Of course a technical user can know how to make his own digest and of course this is not an issue, there is a reason why I’ve OVER emphasised using the word non-technical users in all my posts. I choose my words carefully, BUT this new information may not change a thing so please respond to let me know that I should reread your posts further and I'll try to stay opened minded as possible.

So my proposal would have to be included into the "Sign Message" dialogue, as users will be required to copy the message into the Bitcoin client and select the appropriate encoding(or hash digest) and then sign that encoding/hash and then the user can copy the output as they can trust their Bitcoin client.

BUT the problem remains with the copy and pasting of non-ascii characters like newlines and returnlines and other formatting characters that are not ascii.

DeathAndTaxes gets it: https://bitcointalk.org/index.php?topic=134360.msg1431089#msg1431089

Oh yeah almost forgot here is the wiki link for how to use the BDK_login_with_coin_address function https://github.com/Xenland/Bitcoin-Development-Kit/wiki/BDK-Login-With-Coin-Address

I must note that even though its called Login with coin address it is actually an "Address ownership verifying" function

I have made a PHP library just for that, It uses a server-side checksums that can expire after a set amount of time (prevents eves droppers from replaying the message), it also encodes the message in such a way that will prevent any binary conversions during networking transport(basically just base64 encodes the random string, time stamp and the address);

Did i mention it dosen't need a database? (In the future it will support databases but I need to build it securely with out the database then later integrate DB support)

It's called the Bitcoin Development Kit and is Open Source under the AGPL let me know if you want to make money off of it and we can work out a commercial license otherwise if its non-profit and open source then by all means use the AGPL. As a side-note, after I have made an Return on investment I will release it into the public domain but for now I need to justify why I spent all this time and research into a helpful library.

http://bitcoindevkit.com

It's only in Alpha stage but it is very stable and I'm using it for three websites already ( http://p2pcrypt.com and the other two I'm not allowed to disclose due to NDA but p2pcrypt.com is under construction so you wont be able to see it till the completed site is pushed online tomorrow).

So to recap I see that there are a few problems with signing messages with the current advisory instructions for non-technical users.
(please remember I'm strictly speaking from my experiences when I attempted to make a contracting website a few months ago)

* (Social Engineering) Possibly signing of contract that isn't the actual contract
Non technical users WILL NOT make their own digests them selves nor will they know why they have to make their own or care too, they will ALWAYS make the company,website,etc provide the digest as they don't know the problems it could make for them and they don't have the time to care and find out.

* Its difficult to sign a contract with new lines with out displaying the whole contract on a one line input box through a website
Providing a user with a contract to sign is difficult through any interface as the problem of non-ascii characters such as \n or \r (newlines) or other formatting characters can NOT be copied and pasted they must be copied into the clipboard leading to vulnerabilities "injection" issues.

*Small issue: The sign message digest output isn't labelled I can't instruct my users to "Copy that one box at the bottom in the sign message dialogue" instead there should be a label saying "Digest" so I can instruct my users on my website to "Copy the box that is labled digest and paste it into the website here" Link for this small issue: https://github.com/bitcoin/bitcoin/issues/2144