walletgenerator.net, I find no way to verify the download with PGP

[PaperWallet]

The page takes us to the GitHub repository where we can download the zip file. Don't we need to verify signature with PGP? For bitaddress.org we have the signature, but for wallet generator.net we don't, neither did I find that for plenty of other websites, that I find trustworthy by the way since they were mentioned in popular places. But no signatures to verify their downloads.

Any idea?

[jackg]

Are you downloading the source code or the application? Some developers assume if it's the source code that people should be able to read and vaguely understand the code before rubbing it. This assumption might just be that they assume one person who accesses the repo will notice if something changes and be able to report it.

[TryNinja]

Don't use them!

They had a vulnerability that made people generate previously generated and not-so-random private-keys. And even though the github code *as far as we know* does not contain those vulnerabilities, I wouldn't risk it.

Take a look:

https://www.coindesk.com/researcher-discovers-serious-vulnerability-in-paper-crypto-wallet-website
https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

[HCP]

Walletgenerator.net... hmmm is that the one where the website was "sold" and then after it was sold there were numerous claims of scams and "already used" keys being created? Or was it another one?

[pooya87]

Walletgenerator.net... hmmm is that the one where the website was "sold" and then after it was sold there were numerous claims of scams and "already used" keys being created? Or was it another one?

that's the one.
it was always a little shady to begin with and ever since the ownership changed (or maybe it was all fake and they are trying to hide their identity while scamming) things became a lot shadier and we started seeing scam accusations pop up.

[PaperWallet]

Seriously.... Oh gosh I love you guys. Thanks for warning me. I was about to create my wallets today.

The only one then is bitadress.org?
And there is another one for dash, but this website is on the official dash website: paper.dash.org.
But I don't have any signature on website or a SHA256 to verify. If I go to the GitHub, there's an option to download the zip file. Does that mean that from GitHub we don't have to verify signatures?

[nc50lc]

-snip- Does that mean that from GitHub we don't have to verify signatures?

One of the reason to verify signatures is to confirm that the compiled /downloaded file was really built from source by the author(s)/contributor(s).
If you've downloaded from source which you should've audited since it's "open-source", then there's no point in verifying.

[bob123]

Seriously.... Oh gosh I love you guys. Thanks for warning me. I was about to create my wallets today.

The only one then is bitadress.org?
And there is another one for dash, but this website is on the official dash website: paper.dash.org.
But I don't have any signature on website or a SHA256 to verify. If I go to the GitHub, there's an option to download the zip file. Does that mean that from GitHub we don't have to verify signatures?

No.
Don't use any website to generate your paper wallet.

Your only "advantage" literally is that it looks pretty when printed.
Security-wise it is horrible because you 1) need to verify the source code and because 2) you are using javascript.
Javascript shouldn't be used to create cryptographic keys wherever possible.

If you want to properly generate a paper wallet, use a reputable wallet.
Just open your wallet on an offline device, write down the mnemonic and as much addresses / private keys as you want.
Way more secure than using those websites (regardless of online or offline).

[PaperWallet]

Seriously.... Oh gosh I love you guys. Thanks for warning me. I was about to create my wallets today.

The only one then is bitadress.org?
And there is another one for dash, but this website is on the official dash website: paper.dash.org.
But I don't have any signature on website or a SHA256 to verify. If I go to the GitHub, there's an option to download the zip file. Does that mean that from GitHub we don't have to verify signatures?

No.
Don't use any website to generate your paper wallet.

Your only "advantage" literally is that it looks pretty when printed.
Security-wise it is horrible because you 1) need to verify the source code and because 2) you are using javascript.
Javascript shouldn't be used to create cryptographic keys wherever possible.

If you want to properly generate a paper wallet, use a reputable wallet.
Just open your wallet on an offline device, write down the mnemonic and as much addresses / private keys as you want.
Way more secure than using those websites (regardless of online or offline).

Ok I’ll go check official websites and what wallets they offer that generate paper wallets. Thank you I did not know wallets could give you keys offline (I’m used to Cardano.... they are really not nice in REQUIRING internet on their Daedalus wallet to generate the keys!). I’ll check bitcoin and litecoin.  Do you know of any that generate paper wallets? (Or generate keys, same thing)

[PaperWallet]

But honestly how then would dash give instructions for paper wallet on their official website? They support a website to create paper wallets and not some other type of software wallet.

[HCP]

But honestly how then would dash give instructions for paper wallet on their official website? They support a website to create paper wallets and not some other type of software wallet.

I'm not sure what you mean exactly... they have links to a vast variety of wallets on their website: https://www.dash.org/downloads/

Desktop wallets, mobile wallets, hardware wallets, web wallets.... and paper wallets.

For the record, their paper.dash.org paperwallet generator is forked from bitaddress.org... it's functionally almost identical as far as I can tell, it's just been modified to have Dash "branding" and output Dash addresses instead of Bitcoin addresses

[bob123]

Ok I’ll go check official websites and what wallets they offer that generate paper wallets. Thank you I did not know wallets could give you keys offline (I’m used to Cardano.... they are really not nice in REQUIRING internet on their Daedalus wallet to generate the keys!). I’ll check bitcoin and litecoin.  Do you know of any that generate paper wallets? (Or generate keys, same thing)

If you are looking to generate BTC and LTC paper wallets, why not simply use electrum and electrum-ltc ?

You can download and verify the files, then move them onto an offline PC (or boot a linux distro without any network connection) and create a wallet using electrum / electrum-ltc there.
Then write down or print (make sure the printer is not network connected) the mnemonic code and as much addresses as you want/need and (if needed) the private keys.

Additionally if you want some QR codes, there is open source software for linux available to create QR codes out of any data. So you can also easily print the QR of your address/private key.

[LoyceV]

Walletgenerator.net... hmmm is that the one where the website was "sold" and then after it was sold there were numerous claims of scams and "already used" keys being created? Or was it another one?

No, Bitcoin Paper Wallet.com was sold and turned into a scam. Wallet Generator.net shouldn't be trusted either, for reasons mentioned by TryNinja.

The only one then is bitadress.org?

That's the only site I trust, but even then, I only use a version I've downloaded years ago. This way I don't have to trust they don't change something.
Still a warning though: check the URL! A typo could lead you to a phishing site.

Don't use any website to generate your paper wallet.

That works too

Your only "advantage" literally is that it looks pretty when printed.

I still have an old copy of Bitcoin Paper Wallet (currently a scam site!), and it allows to import a private key. You can even combine a split key vanity address to use 2 different random generators so you don't have to rely on just one of them being honest, then import it, and print it. It creates the same pretty print, without having to trust them. Of course, all this should happen off-line (and it was a big hassle getting my new printer to work without connecting to the internet).