Bitcoin Signed Binaries

[ChloeST]

I have to ask why there are no signed binaries of the Bitcoin Clients? The bitcoin client is the center of what should be a very secure system for an individual. (Unless their primary accounts are on MtGox or a similar site, in which case they have to trust ssl and MtGox.)

On Windows the binary has no digital signature on the executable. Other less important software has digital signatures (media players, games, even poker clients are signed (PartyPoker is signed with a Thawte verified certificate).

On linux, there are no hashes available of the current distribution .tar.gz. Ubuntu offers hashes of their product through a ssl encrypted page: https://help.ubuntu.com/community/UbuntuHashes

PGP signatures for communication with bitcoin developers are readily available on the bitcoin.org front page next to their email addresses. Why aren't there verifiable gpg signatures for the binary downloads also available?

[LMGTFY]

I have to ask why there are no signed binaries of the Bitcoin Clients? The bitcoin client is the center of what should be a very secure system for an individual. (Unless their primary accounts are on MtGox or a similar site, in which case they have to trust ssl and MtGox.)

On Windows the binary has no digital signature on the executable. Other less important software has digital signatures (media players, games, even poker clients are signed (PartyPoker is signed with a Thawte verified certificate).

On linux, there are no hashes available of the current distribution .tar.gz. Ubuntu offers hashes of their product through a ssl encrypted page: https://help.ubuntu.com/community/UbuntuHashes

PGP signatures for communication with bitcoin developers are readily available on the bitcoin.org front page next to their email addresses. Why aren't there verifiable gpg signatures for the binary downloads also available?

Good question! I'd imagine it's because the developers are overworked and underpaid!

I'm not sure how practical digital signatures would be in the short term, as Thawte etc will charge for them - but hopefully someone nearer the issue than me can comment.

Regarding hashes, that should be pretty easy to implement - but I'd imagine it's time that's the problem. I don't suppose you'd be able to volunteer to help out the devs with this?

[grue]

there's no need for signing the binaries. the release announcements are pgp signed, with a hash of the binaries.

[Mike Hearn]

No, the binaries should be signed for the AV reasons discussed previously. It doesn't happen, basically because "nobody got around to it yet". There's work in progress to move to reproducible builds in which multiple trusted developers check that the source code compiles to the binary being released, and then all sign that. Certainly a regular Win32 signature should be included as part of that process and I'm sure soon it will be.

[BombaUcigasa]

Ontopic, I downloaded a RC bitcoin client from sourceforge, and NOD32 stopped the download because it got a PE/NewHeur trojan warning. None of the other releases give this warning. How can we be sure the binaries published on the official source control hubs are free of malware?

[matt.collier]

I am a GlobalSign reseller and I will sell a Microsoft Authenticode Code Signing Certificate for the BTC equivalent of $180 USD.  The retail price for this certificate is $229.

[matt.collier]

There's also the Certificate for Individuals which retails at $99, but I'm not sure if that's appropriate for this purpose.

[edit]

I will sell this one for $50, but it will have the name of an individual on the certificate, not an organization.

http://www.globalsign.com/code-signing/buy-code-signing-for-individual-developers.html

[ene]

there's no need for signing the binaries. the release announcements are pgp signed, with a hash of the binaries.

Not everybody has PGP installed.

[grue]

I am a GlobalSign reseller and I will sell a Microsoft Authenticode Code Signing Certificate for the BTC equivalent of $180 USD.  The retail price for this certificate is $229.

any chance you can donate this certificate to the bitcoin community?

[matt.collier]

The $180 price includes my reseller discount and $25 of my own money.  I feel comfortable with that level of assistance.

[Matt Corallo]

On 0.4.0 PGP signing:
Starting with 0.4.0, the bitcoin releases on Win32 will be generated deterministically (assuming me/devrandom have enough time to code the specifics) and signed by all the Bitcoin developers who have the ability to do so.  The "installer" will then install a minimal script and the relevant dependencies to the Bitcoin folder and then run that script.  That script then downloads the latest version of Bitcoin and checks that enough signatures are on it for it to be considered trusted and install that version.  The script will (hopefully) also be used to update bitcoin when new versions come out.

On code signing:
This one is a bit more difficult.  Because Bitcoin will be built deterministically, we have two options.  A. send the code signing private key around to all the devs for that to be a part of the building process (this is even harder as the building happens on Linux via the MinGW cross compiler) or B. find a way to strip out the code signing certificate in the download script and then check the stripped version instead of the signed version.  I googled this pretty quick and saw no simple CLI program which will do this, but I might have missed something as I didnt spend too much time on it.  If anyone finds something, please tell me. 

[grue]

On 0.4.0 PGP signing:
Starting with 0.4.0, the bitcoin releases on Win32 will be generated deterministically (assuming me/devrandom have enough time to code the specifics) and signed by all the Bitcoin developers who have the ability to do so.  The "installer" will then install a minimal script and the relevant dependencies to the Bitcoin folder and then run that script.  That script then downloads the latest version of Bitcoin and checks that enough signatures are on it for it to be considered trusted and install that version.  The script will (hopefully) also be used to update bitcoin when new versions come out.

On code signing:
This one is a bit more difficult.  Because Bitcoin will be built deterministically, we have two options.  A. send the code signing private key around to all the devs for that to be a part of the building process (this is even harder as the building happens on Linux via the MinGW cross compiler) or B. find a way to strip out the code signing certificate in the download script and then check the stripped version instead of the signed version.  I googled this pretty quick and saw no simple CLI program which will do this, but I might have missed something as I didnt spend too much time on it.  If anyone finds something, please tell me. 

auto-update = super bad idea. if a attacker can compromise the script, he can make tons of rouge clients.

[Matt Corallo]

auto-update = super bad idea. if a attacker can compromise the script, he can make tons of rouge clients.

Obviously we aren't going to blindly auto-update, there will be a user-prompt.  Also, the binaries are signed by multiple developers meaning you would have to compromise the pgp private keys of several developers.  If you think an attacker will try to compromise the download script, well how is that any different from compromising the current downloads?  You would have to compromise sourceforge, so it wouldn't make a difference.  If you think the script itself might be trickable into downloading without having enough signatures, then I ask you to look it over yourself https://github.com/devrandom/gitian-builder/blob/updater/share/gitian-updater

[jimbo77]

auto-update = super bad idea. if a attacker can compromise the script, he can make tons of rouge clients.

Wouldn't it be more risky NOT having an auto-update? As long as the process of getting the binaries is secure. I'm thinking from the point of view that there could be exploits in the network or old versions where you want people to update to protect themselves. People are notorious for not upgrading and what if we need them too to prevent an attack on the network? Newer web browsers seem to do it to enhance security so why wouldn't that be the case for bitcoin?

[ene]

As long as the process of getting the binaries is secure.

You missed the point. 

[jimbo77]

As long as the process of getting the binaries is secure.

You missed the point. 

I did? You can make updating secure such that other risks are higher than the update risk.

[matt.collier]

May I suggest another thread for the auto-update debate?

[publickeyhash]

The compiler should use ProPolice or /GS in case of M$

[ene]

As long as the process of getting the binaries is secure.

You missed the point. 

I did? You can make updating secure such that other risks are higher than the update risk.

They're different kinds of risk. If the auto-update has a vulnerability, somebody could steal the private keys of tens of thousands of users in a matter of minutes. If the client software has some other vulnerability, then depending on the nature of it, it will be more or less dangerous than what I just mentioned. Probably less.

[keystroke]

It's been over a year since this thread was touched. I was just looking at my system with Process Explorer and out of the 62 processes, only 3 are not signed. One of them is Bitcoin-qt. Is there any downside to signing? I always verify with Gavin's signature and I trust that keychain more than I would one issued by a centralized authority... We all know what has happened to SSL CAs. Is this the argument?