SebastianJu (OP)
Legendary
 Offline
Activity: 2674
Merit: 1082
Legendary Escrow Service - Tip Jar in Profile
|
 |
April 30, 2013, 05:28:37 PM |
|
Hello,
is there a way to check out a signed message on a website?
Thanks!
|
Please ALWAYS contact me through bitcointalk pm before sending someone coins.
|
|
|
|
|
|
|
|
|
|
|
|
In order to achieve higher forum ranks, you need both activity points and merit points.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
mobile4ever
|
 |
April 30, 2013, 05:39:49 PM |
|
Hello,
is there a way to check out a signed message on a website?
Thanks!
Usually the whole server is verified when you see the yellow lock in your browser. The page you are looking at would then be verified as well. You just want to verify a "signed message"? |
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
April 30, 2013, 06:06:13 PM |
|
I think he is asking if anyone is running a web service that can accept a hex (or whatever) bitcoin transaction string and indicate if the signature is valid or not.
I'm not aware of any sites that do that. That doesn't mean there aren't any.
I just had to check, and it appears that the decoderawtransaction RPC command does not validate the signatures, so making such a thing isn't as simple as just slapping up a bitcoind and a couple lines of PHP.
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
dserrano5
Legendary
Offline
Activity: 1974
Merit: 1029
|
|
April 30, 2013, 07:29:20 PM |
|
I just had to check, and it appears that the decoderawtransaction RPC command does not validate the signatures, so making such a thing isn't as simple as just slapping up a bitcoind and a couple lines of PHP.
I think he wants to verify a signed message, ie what bitcoin does with verifymessage. That can be easily put behind a quick script |
|
|
|
|
SebastianJu (OP)
Legendary
Offline
Activity: 2674
Merit: 1082
Legendary Escrow Service - Tip Jar in Profile
|
|
April 30, 2013, 07:33:48 PM |
|
I just had to check, and it appears that the decoderawtransaction RPC command does not validate the signatures, so making such a thing isn't as simple as just slapping up a bitcoind and a couple lines of PHP.
I think he wants to verify a signed message, ie what bitcoin does with verifymessage. That can be easily put behind a quick script I didnt think that there are so many interpretations but i meant the functionality where one can sign a message with an address one owns. This way another person can verify that the other person owns that address. For example verifying that an address is bound to a username here in the forum. |
Please ALWAYS contact me through bitcointalk pm before sending someone coins.
|
|
|
franky1
Legendary
Offline
Activity: 4200
Merit: 4442
|
|
April 30, 2013, 07:55:29 PM |
|
I just had to check, and it appears that the decoderawtransaction RPC command does not validate the signatures, so making such a thing isn't as simple as just slapping up a bitcoind and a couple lines of PHP.
I think he wants to verify a signed message, ie what bitcoin does with verifymessage. That can be easily put behind a quick script yep. bitcoin qt /bitcoind has RPC api calls commands. the command verifymessage <bitcoinaddress> <signature> <message> will verify the message came from that bitcoin address https://en.bitcoin.it/wiki/API_reference_(JSON-RPC)that link should help you get started |
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1130
All paid signature campaigns should be banned.
|
|
April 30, 2013, 07:58:18 PM |
|
You can sign messages with your private keys and check signed messages from your blockchain.info wallet, which is a web site. Does that work for you?
|
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated! |
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
April 30, 2013, 07:59:45 PM |
|
I just had to check, and it appears that the decoderawtransaction RPC command does not validate the signatures, so making such a thing isn't as simple as just slapping up a bitcoind and a couple lines of PHP.
I think he wants to verify a signed message, ie what bitcoin does with verifymessage. That can be easily put behind a quick script I didnt think that there are so many interpretations but i meant the functionality where one can sign a message with an address one owns. This way another person can verify that the other person owns that address. For example verifying that an address is bound to a username here in the forum. Oh, that? Well, that is certainly easy enough. <?php
$rpc_user="";
$rpc_pass="";
$rpc_port=8332;
require_once("jsonRPCClient.php");
$rpc=new jsonRPCClient('http://'.$rpc_user.':'.$rpc_pass.'@localhost:'.$rpc_port.'/');
if(isset($_POST['submit'])){
try{
echo "Address: ".$_POST['address']."<BR>\n";
echo "Signature: ".$_POST['signature']."<BR>\n";
echo "Message: ".$_POST['message']."<BR>\n";
if($rpc->verifymessage($_POST['address'],$_POST['signature'],$_POST['message'])){
echo "Valid.<BR>";
}else{
echo "Invalid.<BR>";
}
}catch(Exception $e){
echo "Error.\n";
}
echo "<HR>";
}
echo "<HTML><BODY>\n";
echo "<FORM method=POST>\n";
echo "Address: <INPUT type=text size=40 name=address";
if(isset($_POST['address']))echo " value=\"".$_POST['address']."\"";
echo "><BR>\n";
echo "Signature: <INPUT type=text size=40 name=signature";
if(isset($_POST['signature']))echo " value=\"".$_POST['signature']."\"";
echo "><BR>\n";
echo "Message: <TEXTAREA name=message>";
if(isset($_POST['signature']))echo $_POST['message'];
echo "</TEXTAREA><BR>\n";
echo "<INPUT type=submit name=submit value=\"Verify\">\n";
echo "</FORM>\n";
echo "</BODY></HTML>\n";
?>
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
|
|
SebastianJu (OP)
Legendary
Offline
Activity: 2674
Merit: 1082
Legendary Escrow Service - Tip Jar in Profile
|
|
April 30, 2013, 08:27:45 PM |
|
Am i right or does this all need the bitcoin-qt wallet running on the pc you want to test it with or in case of blockchain.info having a wallet there? I thought more of a link that can provide the info if a signed message is valid. Then one could, for example post a link into a thread, clicking it and the info is checked. Maybe the info has to be stored on the target website because the verificationstring contains special signs. A shortcutlink like the url shorteners use maybe. On the other hand, maybe urls can handle it good enough so that the url can contain everything as parameters. I now linked to How to sign/verify messages? to show how it can be done with the original client. But it involves some work to check it out. A faster way would be interesting. Clicking a link and done. Only having to check if the input-data is correct at the target website. |
Please ALWAYS contact me through bitcointalk pm before sending someone coins.
|
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
April 30, 2013, 08:43:17 PM |
|
Am i right or does this all need the bitcoin-qt wallet running on the pc you want to test it with or in case of blockchain.info having a wallet there?
The code I posted needs a connection to a bitcoind node, yes. But anyone that wants to is free to toss it on a webserver and provide the service. I'd recommend doing it on a box that isn't also hosting a wallet. I'm not aware of any vulnerabilities involved in passing user-provided data to the RPC interface in that context, but it may be a good idea to sanitize the inputs first. That's kinda why I'd rather not host it on any of my servers. |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
flatfly
Legendary
Offline
Activity: 1078
Merit: 1011
760930
|
|
April 30, 2013, 10:51:42 PM |
|
|
|
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1130
All paid signature campaigns should be banned.
|
|
April 30, 2013, 11:28:35 PM |
|
Now that is cool and I think we have the answer he was actually looking for. |
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated! |
|
|
SebastianJu (OP)
Legendary
Offline
Activity: 2674
Merit: 1082
Legendary Escrow Service - Tip Jar in Profile
|
|
April 30, 2013, 11:42:19 PM |
|
Very nice.  Nearly exactly what i was looking for. Not fully automatic but when i see the sourcecode then the form uses get. Maybe its possible to implement the message and signature into the url. Anyway, i think its helpful to have such tool without having to use a wallet for verifications. But im wondering... the sign-function... is it really a good idea to send out the private key to a website? |
Please ALWAYS contact me through bitcointalk pm before sending someone coins.
|
|
|
|
mobile4ever
|
|
May 01, 2013, 12:27:34 AM |
|
But im wondering... the sign-function... is it really a good idea to send out the private key to a website?
If you can have an https connection it shoud not be a problem, if you trust the site. |
|
|
|
|
SebastianJu (OP)
Legendary
Offline
Activity: 2674
Merit: 1082
Legendary Escrow Service - Tip Jar in Profile
|
|
May 01, 2013, 12:33:01 AM |
|
But im wondering... the sign-function... is it really a good idea to send out the private key to a website?
If you can have an https connection it shoud not be a problem, if you trust the site. The site is the risk i believe. I think i wont recommend the sign-function to someone. Even when the websiteowner is legit websites can be hacked. I dont want to hear that someone is losing money because i sent him there. But i think the fewest people will know this key. But the verification is nice... |
Please ALWAYS contact me through bitcointalk pm before sending someone coins.
|
|
|
dashingriddler
Legendary
Offline
Activity: 1258
Merit: 1001
|
|
June 11, 2013, 02:36:05 PM |
|
Based on the source code on github, the private key is not going to their server at all. It is javascript calculation and implementation - so it is just client side.
|
|
|
|
|
