Bitcoin Forum
April 23, 2014, 02:22:50 PM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: req: howto verify bitcoin archive authenticity  (Read 1494 times)
osmosis
Sr. Member
****
Offline Offline

Activity: 309


The ultimate liberation is a choiceless awareness.


View Profile

Ignore
October 26, 2011, 05:33:44 AM
 #1


If someone would like to link to or share a howto for verifying the authenticity of the bitcoin tar.gz file after download, that would be helpful. Replacing the binaries that get downloaded seems like an obvious attack vector, and I dont know anything about sourceforge's security.
Buy a Blade, Get a 5-Chip Free!
Start Mining with GAWMiners.com
24/7 Live Phone & Tech Support
Free Hosting & Electricity for 1 Year!

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1398262970
Hero Member
*
Offline Offline

Posts: 1398262970

View Profile Personal Message (Offline)

Ignore
1398262970
Reply with quote  #2

1398262970
Report to moderator
1398262970
Hero Member
*
Offline Offline

Posts: 1398262970

View Profile Personal Message (Offline)

Ignore
1398262970
Reply with quote  #2

1398262970
Report to moderator
ovidiusoft
Sr. Member
****
Offline Offline

Activity: 252


View Profile

Ignore
October 26, 2011, 07:25:31 AM
 #2

Download them from GitHub[1], there's a SHA1 sum file there you can chech agains. But if you want security, you should really download the source code from GitHub, audit and compile it yourself.

[1] https://github.com/bitcoin/bitcoin/downloads
osmosis
Sr. Member
****
Offline Offline

Activity: 309


The ultimate liberation is a choiceless awareness.


View Profile

Ignore
October 26, 2011, 08:24:04 PM
 #3

Download them from GitHub[1], there's a SHA1 sum file there you can chech agains. But if you want security, you should really download the source code from GitHub, audit and compile it yourself.

[1] https://github.com/bitcoin/bitcoin/downloads


As an expanding community we should not be suggesting to everyone to read the source code themselves. Having the open source code available to be viewed is a core aspect of the bitcoin model, but only a niche group is up to this task. Checking a signed signature of the bitcoin download file is something that a lot more people can do, and I am not aware of any community docs produced yet to support this. I may be building one, and I invite others to contribute in this thread.
luv2drnkbr
Hero Member
*****
Offline Offline

Activity: 612



View Profile

Ignore
October 26, 2011, 11:07:37 PM
 #4

The sha1 checksum file, is a SIGNED message from Gavin's PGP key, which lists the hashes of the files.  Assuming, you know how to get the hash of a file, that's just as good as a sig file in terms of ensuring the integrity of the package.  (Although, I keep getting a "signature NOT valid" error when I verify the pgp message that is the checksum file, which is a bit disconcerting.)

DeathAndTaxes
Donator
Hero Member
*
Offline Offline

Activity: 966



View Profile WWW

Ignore
October 27, 2011, 12:00:18 AM
 #5

To verify authenticity you must do two things
1) compare the SHA-1 hash of the file you have downloaded to the hash in the SHA1SUMS.asc text file.
2) verify the signature of the document validates against Gavin public key.

If you only do #1 it does you no good.  An attacker could put bad file up there and change the SHA1SUMS file.

Validating the signature of the SHA1SUMS message ensures that the file was written by Gavin and thus you can trust the hashes in the file.

Gerald Davis  CEO, Tangible Cryptography Inc.
BitSimple. A simpler way to buy and sell bitcoins
Gavin Andresen
Hero Member
*****
Offline Offline

Activity: 1330


Chief Scientist


View Profile WWW

Ignore
October 27, 2011, 03:21:16 AM
 #6

Here's my public key, or you can fetch it from the MIT pgp keyserver.  Or it is linked on the bitcoin.org homepage.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (Darwin)

mQGiBEy8srURBADlAamWM3TkgAKyVBVftUsg5aZ3zOA5UAlg+yI/6bzfTkYLtspA
LQ6typamac9re+lqnWdDMa4qVwSmaOMxLOlGhCWWfmA38QprU+ZfuesnxWrVAMG8
TDHLT2vBCa+9iC50soo/imsDqqe6ujm7a+Pd1KSNvFR5KXgEgeEHSiyEqwCg3iAa
DH3lNWzNOgJgi8PUiszqbcsD/2mfNBYJsazYabXcbNdh8VheNnyK2KLUE8Lg1WzU
ld/Sd1gu67oPSFfTiFZ5OBjdHI/XmlFAT4r4eNy1IIf0nELJWWQ6hlzm0a0/DO4b
BUoapjUjAYWDyeeeALDHK7EQboqtwWBlRONyY/+yB9usgbvAK2khRlzBhQonGJEs
FpdQA/9bQzVgpEE1q/ZSnvLp0nOFA3E51SS9uvGGnAdQMjwDp7iGBzh7gRz4ko1k
LG3Sa5fNe21VvlKFcMTaZN9Pd5fDd7gEoDkjUDlf9lRX+YT5zf+SSoeCIGuNMVzs
f8Z2H414dYDOJPBkhYWcqFhGhz11QtWgug5n8GaewC2YOiPU8LQoR2F2aW4gQW5k
cmVzZW4gPGdhdmluYW5kcmVzZW5AZ21haWwuY29tPohmBBMRAgAmBQJMvLK1AhsD
BQku/geABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQdYgkL74406h8rwCgyMwS
bwfJ+t3B2IRbhnDIsLo4UtAAnRqMmznLBNLe97fbWYjkcgiAkr2UuQINBEy8srUQ
CADLdLYPEFwz9DEMHoQID/USG6QBP8LXVWCy+84aWsR/SMP2k7BmqtiBEOAZvq9j
Tf4/6WoYkU++vDUiq2QefmCnUSfNiD7TcVAQOm631Kg7TkCQU3TZY5rzJ8DAoh2D
vMuYhWVr0grvlJcF6x0A2/YopfR1BO7SNq87LoG/ZqdbFgijNNePBXEfDGG0T0dg
XkZAKsf6v/rgQYWjSgOx1jn/cH7opoum4xyGLVDE+sU3aKBUwaWOV1hLUHWVwgC7
FwXs+nxWPVitR4Ri6aYGlFTrql9DbrQipaybFTRsbdlCrSEpwz5sKK/FE3aRSo5+
+X6fj590uOEPHtu9RDtBcCePAAMFB/9/hCzl8OVZER2fayOTwCauYbt/21D+RvQJ
67bFMMiPxEgWcyueZmpF2Z5KXc61z8mMa831wUNdkkcr2BSr2FEIArlpoynwYHPe
Kyzy1hhhXxdy7uOObicgPMnOx94ZRuvc/xD8LMDLbQ2tpAZn+TCXvwE7fvIxOCnr
6JKUmd2GpQKVnFSbfS9to3pImnZe8OLwoFoBXQ3CBViJo5vYLUHHH+OgIs28PV+8
fcQVJTUQpkDOjNg3fPFd8/YGzaE55+MTqacr5VoSR6aUweMpRCFHNb5PEv/HsY6m
4Q5ypXJBMwWZZlDtiPJnnTaWPwCZLFoj3zEE2VgVGSuoxUMDisPRiE8EGBECAA8F
Aky8srUCGwwFCS7+B4AACgkQdYgkL74406gxCQCfa3UFF31O14UKmnyuJFUTiik+
YBsAoLiC5B6DhN25fJRKWhdvih2hQWrX
=oDeQ
-----END PGP PUBLIC KEY BLOCK-----

Will I see you in Amsterdam?
  http://bitcoin2014.com/
ripper234
Hero Member
*****
Online Online

Activity: 1106


Ron Gross


View Profile WWW

Ignore
October 27, 2011, 12:45:32 PM
 #7

Here is an answer David posted to Stack Exchange about this exact topic.

Please do not pm me, use ron@mastercoin.org instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
ovidiusoft
Sr. Member
****
Offline Offline

Activity: 252


View Profile

Ignore
October 27, 2011, 12:55:13 PM
 #8

As an expanding community we should not be suggesting to everyone to read the source code themselves. Having the open source code available to be viewed is a core aspect of the bitcoin model, but only a niche group is up to this task.

I believe we really should. Auditing all the code used is an important step for any serious business. Sure, maybe the investor doesn't have the technical knowledge to do it himself, but I would expect that someone who wants to push 1mil $ in a Bitcoin business will spend a few k to have someone audit the code (note: maybe not this week, but having this kind of investments will happen).

And I'm saying this because I believe it's important to expect audits and I think code should be written and documented with that in mind.
luv2drnkbr
Hero Member
*****
Offline Offline

Activity: 612



View Profile

Ignore
October 28, 2011, 01:16:31 PM
 #9

Can somebody else tell me if they're getting a "key not valid" error?  I have Gavin's key and GPG is telling me the following message sig is bad:

Quote
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

25c3ec9683d62235afea24d4a147d4616d8a884f  bitcoin-0.4.0-linux.tar.gz
a800d9fa4aa61527e598708f4ace7f855c22a46b  bitcoin-0.4.0-macosx.dmg
1d2c8d82ede5e8aa9f83b59da07e443de89c5c8f  bitcoin-0.4.0-src.tar.gz
ecf1304ff467bd30dc668b3dadff3044c3c86df1  bitcoin-0.4.0-win32-setup.exe
6034efe23e4bd76b0860f633e81710cd66d499db  bitcoin-0.4.0-win32.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAk58n20ACgkQdYgkL74406ibEACgzyZj86lsQORi5HTs/N3ABCes
Pg8AoKFXU1vxiZI9qZOQ5ZET60ewcynW
=sY+Q
-----END PGP SIGNATURE-----


Steve
Hero Member
*****
Offline Offline

Activity: 840



View Profile WWW

Ignore
October 28, 2011, 02:03:35 PM
 #10

It's good:

Quote
$ gpg --verify -a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

25c3ec9683d62235afea24d4a147d4616d8a884f  bitcoin-0.4.0-linux.tar.gz
a800d9fa4aa61527e598708f4ace7f855c22a46b  bitcoin-0.4.0-macosx.dmg
1d2c8d82ede5e8aa9f83b59da07e443de89c5c8f  bitcoin-0.4.0-src.tar.gz
ecf1304ff467bd30dc668b3dadff3044c3c86df1  bitcoin-0.4.0-win32-setup.exe
6034efe23e4bd76b0860f633e81710cd66d499db  bitcoin-0.4.0-win32.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAk58n20ACgkQdYgkL74406ibEACgzyZj86lsQORi5HTs/N3ABCes
Pg8AoKFXU1vxiZI9qZOQ5ZET60ewcynW
=sY+Q
-----END PGP SIGNATURE-----
gpg: Signature made Fri Sep 23 11:02:05 2011 EDT using DSA key ID BE38D3A8
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2013-03-23
gpg: Good signature from "Gavin Andresen <gavinandresen@gmail.com>"

(gasteve on IRC) Does your website accept cash? https://bitpay.com
theymos
Administrator
Hero Member
*
Offline Offline

Activity: 1540


View Profile
October 28, 2011, 05:55:43 PM
 #11

Can somebody else tell me if they're getting a "key not valid" error?  I have Gavin's key and GPG is telling me the following message sig is bad:

Did you lsign his key first?

luv2drnkbr
Hero Member
*****
Offline Offline

Activity: 612



View Profile

Ignore
October 29, 2011, 06:18:38 AM
 #12

Can somebody else tell me if they're getting a "key not valid" error?  I have Gavin's key and GPG is telling me the following message sig is bad:

Did you lsign his key first?

Ah, right, I'm an idiot.

scrubadub
Jr. Member
*
Offline Offline

Activity: 32


View Profile

Ignore
September 12, 2013, 06:55:44 PM
 #13

Bumping this because I still don't see a good way to verify windows binaries after a brief search on the latest client.

The release announcement for the latest 0.8.4 does not include any signatures like some old ones did

What is much worse is source forge seems to only allow http downloads. Manually changing it to https seems to redirect me to http on the mirror and sourceforge webpages I tried.

So I guess my ask is to include signed sha256 sums in all release announcements and on the bitcoin.org websites download page since many people wont go and find the announcements.

And a tutorial link similar to what these guys have put together would also be helpful I think for newbies
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!