Bitcoin Forum
November 09, 2024, 02:01:40 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Bitcoin Signed Binaries  (Read 5411 times)
Maged
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
September 26, 2012, 04:31:00 AM
 #21

Is there any downside to signing?
As Matt said...
On code signing:
This one is a bit more difficult.  Because Bitcoin will be built deterministically, we have two options.  A. send the code signing private key around to all the devs for that to be a part of the building process (this is even harder as the building happens on Linux via the MinGW cross compiler) or B. find a way to strip out the code signing certificate in the download script and then check the stripped version instead of the signed version.  I googled this pretty quick and saw no simple CLI program which will do this, but I might have missed something as I didnt spend too much time on it.  If anyone finds something, please tell me. 
As you can see, that's a pretty big downside.

kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
September 26, 2012, 04:37:37 AM
 #22

It's been over a year since this thread was touched. I was just looking at my system with Process Explorer and out of the 62 processes, only 3 are not signed. One of them is Bitcoin-qt. Is there any downside to signing? I always verify with Gavin's signature and I trust that keychain more than I would one issued by a centralized authority... We all know what has happened to SSL CAs. Is this the argument?

Matt hit it.  (And Maged beat me to it, but I think I explain more.)

On code signing:
This one is a bit more difficult.  Because Bitcoin will be built deterministically, we have two options.  A. send the code signing private key around to all the devs for that to be a part of the building process (this is even harder as the building happens on Linux via the MinGW cross compiler) or B. find a way to strip out the code signing certificate in the download script and then check the stripped version instead of the signed version.  I googled this pretty quick and saw no simple CLI program which will do this, but I might have missed something as I didnt spend too much time on it.  If anyone finds something, please tell me. 

Bitcoin-qt isn't built in Windows, it is cross-compiled from a Linux.  Even worse, the build process is totally scripted inside a Linux virtual machine.  There are several people that build the binaries in this way, and then they compute hashes on the outputs.  The official releases only get posted after a bunch of people have all built exactly the same files, as verified by the hashes.

To get signed Windows binaries, we would need to distribute the signing key to everyone that builds the releases, which would be bad.  Also, I'm guessing here, but I bet that Microsoft's policies for accepting CA certs for code signing require that the CA have policies that prevent distribution of the keys they hand out.

Phew, I managed to get all of the way through a PKI post without going off onto a tangent about how the current CA scheme used by SSL and everything else is absolutely and totally fucked and broken.  Er, almost.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
September 26, 2012, 05:04:04 AM
 #23

If the objective is to sign the binaries in a Windows-favored style just so that it's signed for the sake of shutting up the OS about untrusted software, just one person doing the signature will accomplish the objective.  That person can just as well sign with a personal (rather than organizational) signature.  Until Windows makes any distinction between once-signed and multiply-signed binaries, the practical difference is moot.  Mac OS X likely falls under the same umbrella.  Multiple PGP signatures can and ought to be checked by those able to do so.

I might point out that someone downloading an update is far more in a position to be scammed than someone downloading the client for the first time, since the updater is far more likely to own coins.  Therefore, I would submit including an automated update mechanism in the client with authentication built in would be the most effective mechanism to bring secure client downloads to bitcoin users.

I believe that Windows binary signing is meant to make sure that code can be connected with a real person or organization.  It wasn't designed to be a technical based control against all rogue code, it's meant to be a legal/social one (where someone who signs something harmful can be identified and held accountable - as well as the certificate revoked - and therefore has an incentive not to abuse it).

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
September 26, 2012, 05:12:12 AM
 #24

If the objective is to sign the binaries in a Windows-favored style just so that it's signed for the sake of shutting up the OS about untrusted software, just one person doing the signature will accomplish the objective.  That person can just as well sign with a personal (rather than organizational) signature.  Until Windows makes any distinction between once-signed and multiply-signed binaries, the practical difference is moot.  Mac OS X likely falls under the same umbrella.  Multiple PGP signatures can and ought to be checked by those able to do so.

I might point out that someone downloading an update is far more in a position to be scammed than someone downloading the client for the first time, since the updater is far more likely to own coins.  Therefore, I would submit including an automated update mechanism in the client with authentication built in would be the most effective mechanism to bring secure client downloads to bitcoin users.

I believe that Windows binary signing is meant to make sure that code can be connected with a real person or organization.  It wasn't designed to be a technical based control against all rogue code, it's meant to be a legal/social one (where someone who signs something harmful can be identified and held accountable - as well as the certificate revoked - and therefore has an incentive not to abuse it).

I think you missed a key point, pun intended.  The build process demands that multiple people all produce exactly the same binary file, bit for bit.  The only way to do this is to have multiple people with the same private signing key, which is bad security, and had certainly better be grounds for revocation of the signing certificate.

You are somewhat right about the technical control / legal control aspect, but it turns out that whatever the intention was, lots of things treat binaries differently based on the validity of the signature.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
September 26, 2012, 06:22:50 AM
 #25

I think you missed a key point, pun intended.  The build process demands that multiple people all produce exactly the same binary file, bit for bit.  The only way to do this is to have multiple people with the same private signing key, which is bad security, and had certainly better be grounds for revocation of the signing certificate.

This is a build process that can be changed as needs arise, right?

Simply eliminate the bytes belonging to the signature field from comparison.  Adding a signature, according to a cursory Google search, simply fills in a pre-allocated signature field inside the executable in a location that can be found deterministically from the executable file headers.  When Microsoft hashes the file for the purpose of signature validation, this field is located and excluded from the hash calculation by design, so a signed binary will hash the same as an unsigned one for their signing purposes.  The build process could do the same.  Then it could automatically confirm that the same binary (minus the signature) was signed by everyone, and then you'd have great security.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Pieter Wuille
Legendary
*
qt
Offline Offline

Activity: 1072
Merit: 1181


View Profile WWW
September 26, 2012, 11:12:16 AM
 #26

Simply eliminate the bytes belonging to the signature field from comparison.  Adding a signature, according to a cursory Google search, simply fills in a pre-allocated signature field inside the executable in a location that can be found deterministically from the executable file headers.  When Microsoft hashes the file for the purpose of signature validation, this field is located and excluded from the hash calculation by design, so a signed binary will hash the same as an unsigned one for their signing purposes.  The build process could do the same.  Then it could automatically confirm that the same binary (minus the signature) was signed by everyone, and then you'd have great security.

Sounds like it's relatively easy to add/remove such a signature from a binary, so it could be done after the gitian building step, and still be verifiable. I'm all in favor of signing released binaries if it helps making Bitcoin trustworthy. I'm totally oblivious about the process to achieve that for Windows binaries, though.

I do Bitcoin stuff.
Diapolo
Hero Member
*****
Offline Offline

Activity: 772
Merit: 500



View Profile WWW
September 26, 2012, 02:25:36 PM
 #27

One additional idea for thrustworthyness, could we compute the hash in the binary (a hash of itself during startup) and compare that agains the reference-hash, which resides on the download server or is stored where it can't be manipulated (no master plan for this though) and warn the user or block program usage, when the hashes don't match? I have to admit I never checked the hash of bitcoin-qt.exe btw. ^^ and I would love if I could easily ensure I have a valid and official binary.

Dia

Liked my former work for Bitcoin Core? Drop me a donation via:
1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x
bitcoin:1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x?label=Diapolo
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
September 26, 2012, 05:06:07 PM
 #28

One additional idea for thrustworthyness, could we compute the hash in the binary (a hash of itself during startup) and compare that agains the reference-hash, which resides on the download server or is stored where it can't be manipulated (no master plan for this though) and warn the user or block program usage, when the hashes don't match? I have to admit I never checked the hash of bitcoin-qt.exe btw. ^^ and I would love if I could easily ensure I have a valid and official binary.

Dia

Problem is that someone who modifies a binary to be malicious will just as easily modify the self-test to falsely report success.

The only self-testing that's really sensible is for the currently installed version to acquire and verify the next version you're about to install to replace it.  The way I see it, this would actually be a strong defense against a whole lot of potential fake-client attack avenues.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1134


View Profile
September 26, 2012, 06:06:44 PM
 #29

Agree with Mike, just one quibble - the main usage of PE signatures today is so anti-virus systems can automatically learn reputation. Having a binary signed by a "good" organization that has lots of installs and few/no reports of being a virus means even if the executable/DLL is brand new, it'll be left alone. It also helps AV engines detect modified system libraries. For this reason it's really helpful to let Bitcoin develop a good reputation - it'll reduce AV FPs.

A tool to strip the signatures from EXEs is probably already in existence, if not it'd be easy to write (for either windows or linux, though don't we already depend on Wine?).
stevegee58
Legendary
*
Offline Offline

Activity: 916
Merit: 1003



View Profile
September 26, 2012, 06:11:41 PM
 #30

Bitcoin is an open-source project.  Build the client yourself from source to guarantee you don't run a compromised executable.

That's the whole point of open source.

You are in a maze of twisty little passages, all alike.
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
September 26, 2012, 06:51:40 PM
 #31

Bitcoin is an open-source project.  Build the client yourself from source to guarantee you don't run a compromised executable.

That's the whole point of open source.

Not a guarantee

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
stevegee58
Legendary
*
Offline Offline

Activity: 916
Merit: 1003



View Profile
September 26, 2012, 07:05:59 PM
 #32

Bitcoin is an open-source project.  Build the client yourself from source to guarantee you don't run a compromised executable.

That's the whole point of open source.

Not a guarantee

Well OK.  I meant you actually *read* the code before building it.

You are in a maze of twisty little passages, all alike.
stevegee58
Legendary
*
Offline Offline

Activity: 916
Merit: 1003



View Profile
September 26, 2012, 07:25:32 PM
 #33

The point is that you have to *trust* the person who signed it.  What if s/he is hacked and a malicious exe is signed and uploaded?

The act of signing doesn't make it trustworthy.

You are in a maze of twisty little passages, all alike.
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
September 26, 2012, 07:36:21 PM
 #34

Bitcoin is an open-source project.  Build the client yourself from source to guarantee you don't run a compromised executable.

That's the whole point of open source.

Not a guarantee

Well OK.  I meant you actually *read* the code before building it.

Heh.  You didn't read the whole thing.

(He put a backdoor-generator into a C compiler.)

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
September 26, 2012, 07:42:44 PM
 #35

The point is that you have to *trust* the person who signed it.  What if s/he is hacked and a malicious exe is signed and uploaded?

The act of signing doesn't make it trustworthy.

The act of signing makes it independently provable that they signed it, so they can be held accountable for doing so.  Most people will behave better when they know they are accountable for their actions.

The process of requiring multiple people to compile identical binaries before releasing anything mitigates the risk of a person getting hacked.  Having everyone hacked simultaneously when they live far apart is pretty unlikely, and certificate revocation always remains possible if it somehow did happen.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
kuzetsa
Sr. Member
****
Offline Offline

Activity: 369
Merit: 250


View Profile
September 26, 2012, 08:19:09 PM
 #36

((...snip...)) main usage of PE signatures today is so anti-virus systems can automatically learn reputation. Having a binary signed by a "good" organization that has lots of installs and few/no reports of being a virus means even if the executable/DLL is brand new, it'll be left alone. It also helps AV engines detect modified system libraries. For this reason it's really helpful to let Bitcoin develop a good reputation - it'll reduce AV FPs.
((...snip...))

Indeed. Thanks Mike.

Regardless of how open source platform(s) normally do things, over the next release or two, there will likely still be significant market share for microsoft OSes and the respective antivirus and security tech in use.

((...snip...)) I was just looking at my system with Process Explorer and out of the 62 processes, only 3 are not signed. One of them is Bitcoin-qt. Is there any downside to signing?
((...snip...))

I can think of at least two and a half reasons not to sign:

  • Difficulties settling on a method (consensus) for implementing a signature recognized by microsoft OS platforms
  • Assorted reservations, resentment, or paranoia regarding changes to the toolchain and/or methods to produce the signed version. (possibly using a non-free tool, or even a different compiler)
  • If nobody else is willing, I might have to get off my lazy butt and do it myself. NO WANT MY THE EFFORTS!!! (partly joking, but I really could do this myself)



...Edited to add:

Oh, and as for the "unsigned processes" I have a similarly low number of unsigned ones. More than one of my signed processes is even open source.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
September 26, 2012, 08:35:06 PM
 #37

I can think of at least two and a half reasons not to sign:

  • Difficulties settling on a method (consensus) for implementing a signature recognized by microsoft OS platforms
  • Assorted reservations, resentment, or paranoia regarding changes to the toolchain and/or methods to produce the signed version. (possibly using a non-free tool, or even a different compiler)
  • If nobody else is willing, I might have to get off my lazy butt and do it myself. NO WANT MY THE EFFORTS!!! (partly joking, but I really could do this myself)

It sounds to me like the way Microsoft hashes and signs its binaries are based on industry standards and not proprietary toolchains. Search Google for windows portable authenticode executable signature format... it should be possible to validate the signature without a need for Microsoft's OS, possibly with a simple home-made tool.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
kuzetsa
Sr. Member
****
Offline Offline

Activity: 369
Merit: 250


View Profile
September 26, 2012, 09:05:23 PM
 #38

Yep. Google is nice Wink

http://sourceforge.net/projects/libwdi/files/utilities/

Quote
cathash:
multiplatform MS CAT/Authenticode SHA-1 generation. Inspired by the tool of the same name by Michel I. Gallant.

Can be used to compute the custom SHA-1 used by Microsoft and others for Authenticode and CAT file validation.

Unlike its counterpart, this program will compile and run on any platform, including big endian UNIX.
Matt Corallo
Hero Member
*****
expert
Offline Offline

Activity: 755
Merit: 515


View Profile
September 27, 2012, 12:31:51 AM
 #39

Awesome! If anyone has the time to do this, it would need to be applied in gitian updater at:
https://github.com/devrandom/gitian-builder/blob/master/share/gitian_updater.py
(We will (hopefully) eventually use gitian-updater to do automatic updates with signature checking (before anyone starts complaining, yes, with user permission)).

Bitcoin Core, rust-lightning, http://bitcoinfibre.org etc.
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
kuzetsa
Sr. Member
****
Offline Offline

Activity: 369
Merit: 250


View Profile
September 27, 2012, 03:18:43 AM
 #40

Quote from: gitian_updater.py date=2012-08-08
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE

...

@Matt Corallo

 Huh Uh... what?

That's not what a signed binary means. This is GPG, not "authenticode" (so it's not the type used on the microsoft OS platforms)

The original post wasn't requesting "auto update" either.  Roll Eyes
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!