Bitcoin Forum
October 04, 2024, 02:34:23 PM *
News: Latest Bitcoin Core release: 27.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
Author Topic: Verifying Bitcoin Core  (Read 199850 times)
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5334
Merit: 13309


View Profile
August 18, 2016, 12:34:48 AM
Last edit: September 18, 2018, 09:38:48 PM by theymos
Merited by EFS (20), franckuestein (5), ABCbits (4), fruit (2), kotajikikox (1), DireWolfM14 (1), BTCGalaxyA12 (1)
 #1

It is important to verify the integrity of Bitcoin Core before running it. Depending on how you downloaded it, it may have been modified in transit to do something evil when run. The server hosting the download may also have been compromised.

Even if all of your favorite Bitcoin websites are yelling at you to immediately download something lest you lose all of your coins, you should NEVER run Bitcoin Core software without verifying it first.

Easy way 1

Final Windows and Mac installers are digitally signed by The Bitcoin Foundation. (Note that The Bitcoin Foundation is not actually strongly associated with Bitcoin development -- it is just convenient for them to sign the releases.) On Windows, you can check this by right clicking the installer, choosing properties, and then going to the Digital Signatures tab. Check that it is signed by The Bitcoin Foundation, Inc..

Prerelease versions are generally not signed.

Easy way 2

Get the sha256 hash of the Bitcoin Core release you downloaded. On Linux, you can run, for example, sha256sum bitcoin-0.16.3-x86_64-linux-gnu.tar.gz. On Windows you can run (at a command prompt) certUtil -hashfile bitcoin-0.16.3-win32.zip SHA256. On Mac OS X, you can run shasum -a 256 bitcoin-0.16.3-osx.dmg.

The hashes of the most recent release and prerelease versions are below. Hashes for older versions are available here (SHA256SUMS.asc under each version is a text file that can be opened with any text editor). Simply verifying the hashes of the Bitcoin Core release you downloaded against the appropriate hash in the list here will provide some extra security, but ideally you should also use OpenPGP software such as gpg to verify that the hashes were signed by someone you trust.

0.16.3

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

0768c6c15caffbaca6524824c9563b42c24f70633c681c2744649158aa3fd484  bitcoin-0.16.3-aarch64-linux-gnu.tar.gz
fb2818069854a6ad20ea03b28b55dbd35d8b1f7d453e90b83eace5d0098a2a87  bitcoin-0.16.3-arm-linux-gnueabihf.tar.gz
75a537844313b0a84bdb61ffcdc5c4ce19a738f7ddf71007cd2edf664efd7c37  bitcoin-0.16.3-i686-pc-linux-gnu.tar.gz
78c3bff3b619a19aed575961ea43cc9e142959218835cf51aede7f0b764fc25d  bitcoin-0.16.3-osx64.tar.gz
c67e382b05c26640d95d8dddd9f5203f7c5344f1e1bb1b0ce629e93882dbb416  bitcoin-0.16.3-osx.dmg
836eed97dfc79cff09f356e8fbd6a6ef2de840fb9ff20ebffb51ccffdb100218  bitcoin-0.16.3.tar.gz
1fe280a78b8796ca02824c6e49d7873ec71886722021871bdd489cbddc37b1f3  bitcoin-0.16.3-win32-setup.exe
e3d6a962a4c2cbbd4798f7257a0f85d54cec095e80d9b0f543f4c707b06c8839  bitcoin-0.16.3-win32.zip
bd48ec4b7e701b19f993098db70d69f2bdc03473d403db2438aca5e67a86e446  bitcoin-0.16.3-win64-setup.exe
52469c56222c1b5344065ef2d3ce6fc58ae42939a7b80643a7e3ee75ec237da9  bitcoin-0.16.3-win64.zip
5d422a9d544742bc0df12427383f9c2517433ce7b58cf672b9a9b17c2ef51e4f  bitcoin-0.16.3-x86_64-linux-gnu.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJboV68AAoJEJDIAZ42wulkrD0P/iULbLc7SRAXPPaQDxRV+nXO
bTOF3Ueti1hOY9/02drnfd5z2HNYuZGJvL4t5UuVrSM/KGPbwMNPq0MLoVqp0z91
yWCPTUdbjnvstJ5maFSZ3EHHrmKKR/8Ue6VVT1rDwZHTjKSUMli05QhRWsQsGgdp
gVrCId/572xJw9R7QGtcatoP1Y+LpDf3PGsfSn7YLzezvXMDjrgYAXaW/QYPbl5I
+vGSmNPhjnQpatVgg7OnLgyCAul7Rqq898MURpAboMC7qgbsINZ4UVha0IqFPWt9
HS9z84wtOsV69gDro5BpgtMSXjvjdTAOs9wq+VGgxfZf1K3kFZ6zVmrP/Ea/HJKV
WbIYNyvW/bnK/GA2gfciqmjAL0xjhWnCzBdrFSbIAHbfoHIOeSw2TSJ90Oiqb1ch
cgIWZpEzoteVtMEoSOhCiPFHEAYOO8DiBkqLUgc0CkkcXfffeQEO/OvqGOJe1zAo
O1sWR/na0d9qv4qVK/jNCKIHjtF24npdqgdDjyKdMOGBkS1pgSGwkH8Hd7cffJJm
LZswdRm2rEmchmqhVXwvYRlmU5nhAyb2GrW5g78DyTPbKCO+z7ejYfM7h6YQQHS3
Y1x/vMdf092djWF0jvr52WtbPfcYL9OCWgTB6LLlXhfPhqPUoiYzcFIO2obRwXR1
FZnWhOUcfsVHgmbN1g6b
=/Gqy
-----END PGP SIGNATURE-----

To verify the signatures, first install GPG. Then import the necessary PGP public keys (see below). Then get to a command prompt and do this:

Code:
gpg --verify
# Paste the signature here, like:
-----BEGIN PGP SIGNED MESSAGE-----
...
-----END PGP SIGNATURE-----
# Enter Ctrl-D (Linux) or Ctrl-Z (Windows) to signal the end
# You'll get something like this if the signature is OK:
gpg: Signature made 09/29/14 09:44:14 Central Daylight Time
using RSA key ID 2346C9A6
gpg: Good signature from "Wladimir J. van der Laan <...>"

Gitian signature verification

Bitcoin developers and other interested people sign every release of Bitcoin Core using gitian. To verify a downloaded version:

  • Go to the gitian sigs page and choose the correct version. Versions that end in "rc1" are older prerelease versions of versions without any rc suffix. Choose the link that ends with "-win" for Windows, "-osx" for Mac OS X, or "-linux" for Linux.
  • Once you're at the correct version, there are links for all of the different people who signed that release. Choose a few people who you trust. You will need their PGP public keys (see below).
  • For each person, download the raw version of both files. With both files in the same directory, run gpg --verify *.assert.sig. Verify that the signature is OK.
  • Open the .assert file in a text editor. This is a list of SHA-256 hashes for a bunch of files. You should verify that the Bitcoin Core download you're going to use exists in the "out_manifest" section and has a matching hash. In some cases, you may need to check several files if the out_manifest contains the contents of an archive that you downloaded. Note that Windows and OS X installers generally will not have matching hashes due to issues with embedded signatures in the installers -- use the zip/tar.gz releases instead.

Building gitian releases

You can personally build Bitcoin Core and check that it matches the official release. See here.

Note that the digitally signed installers cannot be verified in this way because you would need to know the private key of the digital signature signing key in order to reproduce the installer.

Common PGP keys

Here are a few PGP public keys that you might need. You can usually just paste the whole thing into a command prompt:
https://bitcointalk.org/verify_pubkeys.txt

If you're using the default trust model, and you've already created a key for yourself with gpg --gen-key, then you'll also want to locally sign these keys. Do that like this for each key-id, saying yes if it asks whether you want to sign all user IDs:

Code:
gpg --lsign 0x71A3B16735405025D447E8F274810B012346C9A6

With bash on Linux, this will lsign all of the public keys in that file:

Code:
for k in \
0x71A3B16735405025D447E8F274810B012346C9A6 \
0x01EA5486DE18A882D4C2684590C8019E36C2E964 \
0xDE47BC9E6D2DA6B02DC610B1AC859362B0413BFA \
0x5E6B3F3BA961193C5C9B4435C6555693DAB591E7 \
0xE463A93F5F3117EEDE6C7316BD02942421F4889F \
0x152812300785C96444D3334D17565732E08E5E41
do gpg --lsign $k
done

Note that it isn't the greatest to trust random pages on the Internet when importing keys. For example, a bitcointalk.org moderator could replace the above keys with different keys that are all under his control and then post an emergency "urgent upgrade required!" link somewhere pointing to wallet-stealing malware signed by the keys that he placed here. PGP has the concept of a "PGP Web of Trust" that people are theoretically supposed to use to prevent this sort of thing, but it's complicated and doesn't work very well, so pretty much no one actually uses it. If you're not already familiar with PGP, then it's best to just import and use these keys, which will at least protect you from attacks carried out in the future. But if you're serious about security, you should probably read a few guides on PGP and at least try to get verification from several different sites/people about a key's authenticity in the future. For example, many of these keys are also available on bitcoin.org. (All of the Bitcoin Core download/verification info has been republished on bitcointalk.org partly to provide some protection/redundancy in the case of bitcoin.org being compromised.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
achow101
Staff
Legendary
*
Offline Offline

Activity: 3514
Merit: 6842


Just writing some code


View Profile WWW
August 18, 2016, 01:06:28 AM
 #2

Final Windows and Mac installers are digitally signed by The Bitcoin Foundation. (Note that The Bitcoin Foundation is not actually strongly associated with Bitcoin development -- it is just convenient for them to sign the releases.) On Windows, you can check this by right clicking the installer, choosing properties, and then going to the Digital Signatures tab. Check that it is signed by The Bitcoin Foundation, Inc..

Prerelease versions are generally not signed.
Actually they are. The signatures are included in detached form at https://github.com/bitcoin-core/bitcoin-detached-sigs. These are combined with the unsigned versions to create signed versions. This is done for every single version, including prereleases.

Note that the digitally signed installers cannot be verified in this way because you would need to know the private key of the digital signature signing key in order to reproduce the installer.
Same thing as above.

Also, for verifying gitian signatures, all of the keys used by everyone who has built gitian binaries is located at https://github.com/bitcoin/bitcoin/tree/master/contrib/gitian-keys

Gumballinabattleaxeninja
Full Member
***
Offline Offline

Activity: 182
Merit: 100


View Profile
August 18, 2016, 03:26:34 AM
 #3

What I want to know is, what "State" is sponsoring this malicious attack? Is it China? The USA? I would imagine a collective of countries conversing on this and funding the attackers with Bitcoin, since fiat is so traceable nowadays.
OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 3626
Merit: 6353



View Profile
August 18, 2016, 07:57:57 AM
 #4

I was always wondering how people could sign those downloads ,thanks for the tutorial theymos  Shocked

Quote
The server hosting the download may also have been compromised

Are you speaking about scenarios that could happen ? or there is an actual threat going on, because I don't understand why It became suddenly important to verify signature while we didn't see such a thread in the past.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
bet4btc
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile WWW
August 18, 2016, 08:48:55 AM
 #5

What about if i have Ubuntu with Bitcoin core in the PPA?  its auto updating it, i dont do anything manually beside clicking on Update  Huh
johnsmithx
Hero Member
*****
Offline Offline

Activity: 589
Merit: 507

I don't buy nor sell anything here and never will.


View Profile
August 18, 2016, 09:26:55 AM
 #6

Even if all of your favorite Bitcoin websites are yelling at you to immediately download something lest you lose all of your coins,

That's an absolutely impossible assumption. I understand the OP was just trying to make a point but he chose a wrong example, or at the very least a very nonsensical wording. If any website or person ever claims that you have to download anything (or do anything in general) otherwise you lose your coins then they are either lying or retarded. Your coins are your coins and to keep them you don't have to do absolutely anything.

Now if any reader is that stupid that they would actually believe such a nonsense then they shall lose all their coins, they don't deserve to even use their computer. Stupid people are the worst danger to society, vast majority of all the suffering throughout the human history was caused by the human stupidity.

My list of 43(+3) reviewed Bitcoin forks | You don't have to download the pre-fork blockchain again for each fork! | Beware of fraudulent AWS accounts sellers and dangerous edu AWS codes! + My personal list of legit sellers and scammers | Never publicly reveal your btc addresses, ownership or any other details and stay very far away from anybody who asks you to! | The general rule of safe buying is: if the seller is a newbie, with no reputation, with no topic nor trust feedback, offering no vouches and/or selling from a locked or self-moderated topic and unwilling to go first or use escrow => AVOID. Always check the trust feedback first and make sure that you have enabled "Show untrusted feedback by default" in "Profile / Forum Profile Information".
Steampunk
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
August 18, 2016, 10:15:24 AM
 #7



Are you speaking about scenarios that could happen ? or there is an actual threat going on, because I don't understand why It became suddenly important to verify signature while we didn't see such a thread in the past.

Wondering too.
achow101
Staff
Legendary
*
Offline Offline

Activity: 3514
Merit: 6842


Just writing some code


View Profile WWW
August 18, 2016, 10:24:41 AM
 #8



Are you speaking about scenarios that could happen ? or there is an actual threat going on, because I don't understand why It became suddenly important to verify signature while we didn't see such a thread in the past.

Wondering too.
Cobra made an alert on bitcoin.org: https://bitcoin.org/en/alert/2016-08-17-binary-safety but no one knows why he did it and what he means by it. So right now now the assumption is that something nasty have been compromised, but there is no proof of any such compromise yet.

TheKB
Sr. Member
****
Offline Offline

Activity: 315
Merit: 250


View Profile
August 18, 2016, 10:38:15 AM
 #9

Even if all of your favorite Bitcoin websites are yelling at you to immediately download something lest you lose all of your coins,

That's an absolutely impossible assumption. I understand the OP was just trying to make a point but he chose a wrong example, or at the very least a very nonsensical wording. If any website or person ever claims that you have to download anything (or do anything in general) otherwise you lose your coins then they are either lying or retarded. Your coins are your coins and to keep them you don't have to do absolutely anything.

Now if any reader is that stupid that they would actually believe such a nonsense then they shall lose all their coins, they don't deserve to even use their computer. Stupid people are the worst danger to society, vast majority of all the suffering throughout the human history was caused by the human stupidity.

you just referenced half a sentence and started bashing the OP with what you think. the point was to emphasize "you should NEVER run Bitcoin Core software without verifying it first" which you conveniently omitted altogether.
LoyceV
Legendary
*
Offline Offline

Activity: 3458
Merit: 17482


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
August 18, 2016, 10:48:13 AM
 #10

What about if i have Ubuntu with Bitcoin core in the PPA?  its auto updating it, i dont do anything manually beside clicking on Update  Huh
You do the same for your core system: just click to update. It could even be set to auto-update.
If you can't trust the Bitcoin core in there, you can't trust the rest of your system. And if you can't trust the rest of your system, not only Bitcoin but also your online banking could be compromised.

So far I trust my operating system, and it's almost impossible for me to check if it's compromised anyway.

alani123
Legendary
*
Offline Offline

Activity: 2548
Merit: 1498



View Profile
August 18, 2016, 10:54:25 AM
 #11

Thanks theymos. Verifying the integrity of software to run on people's machines should be a standard for everyone and I'm glad that it's being taken care so thoroughly by people associated with bitcoin development. Excellent security practices are always welcome, especially given that bitcoin's transactions were designed to be trustless.

███████████████████████████
███████▄████████████▄██████
████████▄████████▄████████
███▀█████▀▄███▄▀█████▀███
█████▀█▀▄██▀▀▀██▄▀█▀█████
███████▄███████████▄███████
███████████████████████████
███████▀███████████▀███████
████▄██▄▀██▄▄▄██▀▄██▄████
████▄████▄▀███▀▄████▄████
██▄███▀▀█▀██████▀█▀███▄███
██▀█▀████████████████▀█▀███
███████████████████████████
 
 Duelbits 
██
██
██
██
██
██
██
██

██

██

██

██

██
TRY OUR UNIQUE GAMES!
    ◥ DICE  ◥ MINES  ◥ PLINKO  ◥ DUEL POKER  ◥ DICE DUELS   
█▀▀











█▄▄
 
███
▀▀▀
███
▀▀▀
███
▀▀▀
███
▀▀▀

███
▀▀▀
███
▀▀▀
 
███
▀▀▀

███
▀▀▀
███
▀▀▀
███
▀▀▀
███
▀▀▀
███
▀▀▀
 
███
▀▀▀
███
▀▀▀
███
▀▀▀
███
▀▀▀

███
▀▀▀
███
▀▀▀
 
███
▀▀▀
███
▀▀▀
███
▀▀▀

███
▀▀▀
███
▀▀▀
███
▀▀▀
 
███
▀▀▀
███
▀▀▀

███
▀▀▀
███
▀▀▀
███
▀▀▀

███
▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
 KENONEW 
 
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀█











▄▄█
10,000x
 
MULTIPLIER
██
██
██
██
██
██
██
██

██

██

██

██

██
 
NEARLY
UP TO
50%
REWARDS
██
██
██
██
██
██
██
██

██

██

██

██

██
[/tabl
yayayo
Legendary
*
Offline Offline

Activity: 1806
Merit: 1024



View Profile
August 18, 2016, 12:01:49 PM
 #12

Thanks theymos. Verifying the integrity of software to run on people's machines should be a standard for everyone and I'm glad that it's being taken care so thoroughly by people associated with bitcoin development. Excellent security practices are always welcome, especially given that bitcoin's transactions were designed to be trustless.

Agreed. It's good to have a competent individual hosting the forum that cares about security. I think the importance of signature verification will increase as Bitcoin becomes more widely used. Because it is financial software that enables direct access to real value Bitcoin Core is a very attractive target for all kinds of hacking / fraudulent activity - with faked downloads being on the low end of the complexity range.

In addition to the activities of ordinary criminals, we should also be aware that government agencies are highly interested in tracking payments...

ya.ya.yo!


.
..1xBit.com   Super Six..
▄█████████████▄
████████████▀▀▀
█████████████▄
█████████▌▀████
██████████  ▀██
██████████▌   ▀
████████████▄▄
███████████████
███████████████
███████████████
███████████████
███████████████
▀██████████████
███████████████
█████████████▀
█████▀▀       
███▀ ▄███     ▄
██▄▄████▌    ▄█
████████       
████████▌     
█████████    ▐█
██████████   ▐█
███████▀▀   ▄██
███▀   ▄▄▄█████
███ ▄██████████
███████████████
███████████████
███████████████
███████████████
███████████████
███████████████
███████████▀▀▀█
██████████     
███████████▄▄▄█
███████████████
███████████████
███████████████
███████████████
███████████████
         ▄█████
        ▄██████
       ▄███████
      ▄████████
     ▄█████████
    ▄███████
   ▄███████████
  ▄████████████
 ▄█████████████
▄██████████████
  ▀▀███████████
      ▀▀███
████
          ▀▀
          ▄▄██▌
      ▄▄███████
     █████████▀

 ▄██▄▄▀▀██▀▀
▄██████     ▄▄▄
███████   ▄█▄ ▄
▀██████   █  ▀█
 ▀▀▀
    ▀▄▄█▀
▄▄█████▄    ▀▀▀
 ▀████████
   ▀█████▀ ████
      ▀▀▀ █████
          █████
       ▄  █▄▄ █ ▄
     ▀▄██▀▀▀▀▀▀▀▀
      ▀ ▄▄█████▄█▄▄
    ▄ ▄███▀    ▀▀ ▀▀▄
  ▄██▄███▄ ▀▀▀▀▄  ▄▄
  ▄████████▄▄▄▄▄█▄▄▄██
 ████████████▀▀    █ ▐█
██████████████▄ ▄▄▀██▄██
 ▐██████████████    ▄███
  ████▀████████████▄███▀
  ▀█▀  ▐█████████████▀
       ▐████████████▀
       ▀█████▀▀▀ █▀
.
Premier League
LaLiga
Serie A
.
Bundesliga
Ligue 1
Primeira Liga
.
..TAKE PART..
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 2982
Merit: 2371


View Profile
August 18, 2016, 02:17:18 PM
 #13



Are you speaking about scenarios that could happen ? or there is an actual threat going on, because I don't understand why It became suddenly important to verify signature while we didn't see such a thread in the past.

Wondering too.
Cobra made an alert on bitcoin.org: https://bitcoin.org/en/alert/2016-08-17-binary-safety but no one knows why he did it and what he means by it. So right now now the assumption is that something nasty have been compromised, but there is no proof of any such compromise yet.
Nothing has been compromised, at least the post does not indicate that anything has been compromised. The post seems to imply that something might get compromised in the near future, possibly by a state sponsored actor.

Someone suggested in the self-moderated thread that this was something to potentially discredit the Chinese miners in the future if they were to start to support a HF for a larger block size. I have no reason to trust cobra, and several reasons to distrust him, and cannot rule the above out.
 

★ ★ ██████████████████████████████[█████████████████████
██████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
★ ★ 
spazzdla
Legendary
*
Offline Offline

Activity: 1722
Merit: 1000


View Profile
August 18, 2016, 02:42:10 PM
 #14

Sweet!! Thanks this will be very useful.
Timelord2067
Legendary
*
Offline Offline

Activity: 3808
Merit: 2235


💲🏎️💨🚓


View Profile
August 18, 2016, 03:31:26 PM
 #15

I've been revisiting PGP in recent times and was thinking the other day that I should import a few of the need to know PGP keys, so thanks for the heads up about the next update and the precautions a person should take.

Safety first.

BTW, I have discovered a glitch in KeyBase.Io public keys being incompatible with PGP and Kleopatra.

SpiryGolden
Hero Member
*****
Offline Offline

Activity: 812
Merit: 500



View Profile
August 18, 2016, 05:01:54 PM
 #16

I am having a hard time to understand why 0.13.0 ? When next to release is 0.12.2 with Segwit Code. My guess is that 0.13.0 doesn't have public binaries and no yet compiled. How can a binary can be compromised in a way like that? I mean seriously they put a warning on a far in future code to be public that is under their control isn't it? This means the whole code can be compromised?

theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5334
Merit: 13309


View Profile
August 18, 2016, 05:06:57 PM
 #17

I am having a hard time to understand why 0.13.0 ? When next to release is 0.12.2 with Segwit Code. My guess is that 0.13.0 doesn't have public binaries and no yet compiled. How can a binary can be compromised in a way like that? I mean seriously they put a warning on a far in future code to be public that is under their control isn't it? This means the whole code can be compromised?

There's no flaw in 0.13.0 itself. The concern is that for the next major release, an attack might be attempted as everyone rushes to upgrade. If the Core devs had to do a non-SegWit 0.12.2 bugfix release, then the warning would apply equally to that.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
SpiryGolden
Hero Member
*****
Offline Offline

Activity: 812
Merit: 500



View Profile
August 18, 2016, 05:23:34 PM
 #18

I am having a hard time to understand why 0.13.0 ? When next to release is 0.12.2 with Segwit Code. My guess is that 0.13.0 doesn't have public binaries and no yet compiled. How can a binary can be compromised in a way like that? I mean seriously they put a warning on a far in future code to be public that is under their control isn't it? This means the whole code can be compromised?

There's no flaw in 0.13.0 itself. The concern is that for the next major release, an attack might be attempted as everyone rushes to upgrade. If the Core devs had to do a non-SegWit 0.12.2 bugfix release, then the warning would apply equally to that.

I understand, thanks for explanation. So that means between the dev and hosting server a MITM might happen? And that is the warning for, in order to learn people to be more vigilant. I am correct?
CanaryInTheMine
Donator
Legendary
*
Offline Offline

Activity: 2352
Merit: 1060


between a rock and a block!


View Profile
August 18, 2016, 06:09:10 PM
 #19

Get the sha256 hash of the Bitcoin Core release you downloaded. On Windows, this requires an extra tool such as HashTab.

The suggested HashTab tool is not useful on Windows.  If you get it and check the properties tab, the sha256 sum is not there.  Either additional instructions to enable it are required or a different tool should be suggested: (such as http://www.labtestproject.com/using_windows/step_by_step_using_sha256sum_on_windows_xp.html)

Otherwise, reddit and/or forum could get inundated with posts from windows users who will report that their windows system got a compromised 13th version when they download it.
OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 3626
Merit: 6353



View Profile
August 18, 2016, 06:34:21 PM
 #20


Note that it isn't the greatest to trust random pages on the Internet when importing keys. For example, a bitcointalk.org moderator could replace the above keys with different keys that are all under his control and then post an emergency "urgent upgrade required!" link somewhere pointing to wallet-stealing malware signed by the keys that he placed here.

You could simply sign a message with one of your known public addresses, if you are concerned that a forum moderater could change your post. Sign the whole post (if a signed message that long is possible) or else only sign a message with the PGP keys.

What would that change ? even If we quote him , moderators have the ability to delete our posts. (If not edit them as well - depends on the privileges theymos gave them)

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!