you've probably put it all into BTC by now. if you haven't, put it all into BTC.  |
|
|
|
If the Chinese really wanted to scare us and milk as many coins as possible then why is it that they never went to the point of saying that exchanges would actually be shut down?
All Specialists/Market makers/Whales dont wont to KILL the market just scare it many many times but not to teh point of killing it  wouldnt kill the market. just some cheap coins. gimme gimme, i'm buying.  |
|
|
|
awesome, exactly what i needed, thank you! |
|
|
|
- Open it in a text editor (like Notepad)
- Select all of the text. Right click it. Copy.
- Right click the Kleopatra icon in your system tray (lower right).
- Choose Clipboard -> Decrypt/verify.
- It will probably tell you that it's not valid because it doesn't know the public key. That's a different issue...
haha doh, i forgot that's why i posted in the first place. i need the public key to verify the signature against. so yeah, "The signature is invalid. No public certificate to verify the signature." so presumably this would have been released/signed by bitcoin dev team. does anyone know where i can find their public keys? |
|
|
|
SHA256SUMS.asc isn't a normal file signature. Open it in a text editor, copy the contents, and tell Kleopatra to verify it.
how do i tell Kleopatra to verify it? it will only accept .asc, .cer, .cert, .gpg etc. how do i format it so it will be imported? i hate being such a noob |
|
|
|
does anyone know where i might find the proper release signatures for Bitcoin QT? when i go to http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.5/ to download the latest QT update and verify signature against http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.5/SHA256SUMS.asc/view, the .asc file listed will not import into gpg4win/Kleopatra. does anyone know why? does the file need to be altered in some way? am i looking at the wrong thing entirely -- i just saw .asc and assumed this would be the signature to check against. it doesn't list a fingerprint and user id, so i thought maybe i am looking at the wrong file..... if not, there is no fingerprint to verify against?  i had just figured out how to verify signatures and thought this would be straight forward. this stuff is way over my head....  thanks in advance for any help!!!  |
|
|
|
i got it to confirm validity, but it seems very trivial, since it was only based on my own certification.
i just created a new certificate/keypair, set the intevation.de certificate to full trust,
I recommend to remove the full trust from intevation certificate. This trust is related to how you trust them to validate/confirm other keys. It has no meaning for this signature validation. i understand. thanks! then certified it with my own key. now when i go to decrypt/verify, it says "All operations completed. gpg4win signed by distribution-key@intevation.de (KEY ID: 0xEC70B1B8). The signature is valid and the certificate's validity is full trusted." regardless, this is about the extent of due diligence that i can do, right? Well yes, probably. If you trust this forum and me you may believe that the fingerprint of the intevation key is "61AC3F5EE4BE593C13D68B1E7CBD620BEC70B1B8" (I also found and imported that key. This fingerprint does my software show). Then you can validate this using "Certificate Details" from context menu (right click) of this key. There you should find the same fingerprint. that is what i find. thank you! |
|
|
|
You missed Step 3. You have to confirm the key. This means you have to ensure the key is trusted. This may be the case if others signed the key and you trusted them. But this is very probable not the case. So you need to sign/confirm the key yourself.
- Open Kleopatra
- Find the key in tab "Other Certificates"
- Right click the key to open the context menu
- Here select "Confirm Certificate"
- Now follow procedure indicated by the program.
Note: That my kleopatra installation does not use English language, so menu entries I specify may have slightly different names. Note also that by confirming the key you say "I know this key is the key from Intevation". Thats a bit of a lie. But at least you can restrict the lie to yourself during confirmation of the key.
thanks so much! this is what i have done. so now i can confirm that the binary was signed by the party the publisher said it should be signed by. |
|
|
|
i got it to confirm validity, but it seems very trivial, since it was only based on my own certification. i just created a new certificate/keypair, set the intevation.de certificate to full trust, then certified it with my own key. now when i go to decrypt/verify, it says "All operations completed. gpg4win signed by distribution-key@intevation.de (KEY ID: 0xEC70B1B8). The signature is valid and the certificate's validity is full trusted." regardless, this is about the extent of due diligence that i can do, right? |
|
|
|
thank you for your replies re ubuntu, my online machine is windows, i planned to verify signatures on my online machine before transferring to offline machine so gpg4win.org, i found, says the signatures have been created with the following OpenPGP certificate: Intevation File Distribution Key (Key ID: EC70B1B8) [https://ssl.intevation.de/] so i go to import the public OpenPGP key for signing files provided there. it appears to have imported correctly (imported: 1, shows up under "other certificates as openPGP). now, when i go to decrypt/verify, i get a new message. still "Not enough information to check signature validity." in details, it says "signed on ..... by distribution-key@intevation.de (KEY ID: 0xEC70B1B8). The validity of the signature cannot be verified." ok. so what does this tell me? gpg4win says it should be signed by intevation.de -- Kleopatra says it is, right? gpg4win says it should be signed by EC70B1B8 -- it is, right? (i think i recall reading that 0x is just a prefix -- so it is the same key ID, right?) still it says the validity of the signature cannot be verified. but by all appearances, the file is signed by the party that it was supposed to have been signed by. ......right? i'm thinking this is as good as it gets? sorry to be such a noob!! i'm learning a lot though!! |
|
|
|
i wanted to get serious about securing my bitcoins. so i bought an ubuntu notebook with the intention of keeping it offline to store my coins, keeping all wallet/backups all offline. in the interest of preventing malware from ever entering my machine, i wanted to download whatever i needed onto a flash drive and put it on the offline machine. so i wanted to authenticate the download of bitcoin QT... that further required download of GPG4WIN (openPGP) to verify the signature when downloaded. so i downloaded GPG4WIN and used sha1 checksum to verify its integrity. i installed it and ran kleopatra. so i figured since GPG4WIN provides an OpenPGP signature for its downloads, that i would start with that. here's the problem -- when i go to import the .sig file, i can't. .sig is supposed to be openPGP, but kleopatra only seems to allow importation of .asc, .cer, .cert, .crt, .der, .pem, .gpg. is that right? am i missing something? so i figured, maybe i am going about this wrong? i go to decrypt/verify files. the binary and signature file are in the same folder. when i go to decrypt/verify, i get the message "Not enough information to check signature validity." when i click to show details, it says "Signed on ... with unknown certicate ... The signature is invalid: No public certificate to verify the signature." can someone explain what i am missing? i feel like i am supposed to get GPG4WIN's public certificate and import it, after which it will be able to verify correctly. but what do i do with this .sig file?!?! i can't seem to find any public certificates posted at gpg4win.org. this is going to be the end of me. bitcoin and associated technology is so frustrating in how difficult to use it is for the average user. |
|
|
|
Hi. I just wanted you to know that BTC-E is not secure and you shouldn't use it. I did some exchanges with it and it worked but more recently my account got totally hacked into. I didn't loose any coins but it's just not worth using. My username and password are not easily guessable, my password is around 25 random chars. All the time I get emails from BTCE telling me I successfully logged into my account, like this: Successful authorization.
Login: <username>
IP: <myip>
Date and time: 03.12.13 02:17 I've changed my password but it just happens again. I also tried to email them about the security issues but I got the response "what is the response you would like" ?? Very helpful. I also asked them to delete the account but received nothing. was your account actually compromised? where was the IP situated? you realize they send you those emails every time YOU log in, right? |
|
|
|
hello, wondering if someone could explain how to go about verifying authenticity of downloads. i see that i have to download the qt wallet from mirror sites, and then to verify signature of that download, i have to download gnupg/pgp from mirror sites. when i go to download from gnupg.org mirror site, there is like a hundred files. which one do i want? i need a win32 binary, there seems to be many of them.... the thing is, how do i verify sha1 check sum when there is so many files.... i have no idea what to compare to, to verify integrity. i dont trust these sites..... too much money on the table. and everywhere i look that explains PGP seems to assume you are a programmer. i'm not!  |
|
|
|
|
Show Posts
