Bitcoin Forum
December 04, 2016, 06:19:28 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Having problems verifying bitcoin download with GPG4Win  (Read 4183 times)
jimbobway
Legendary
*
Offline Offline

Activity: 1380



View Profile
March 18, 2012, 11:40:37 PM
 #1

I read this here to get started:  http://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securely

Quote
Jeff Garzik signs every release with his GPG key (also here). You can find release announcements (such as this one) on the SourceForge.net Bitcoin development list.

To verify the signature on a release, obtain the key from the link above. Obtain the release announcement from the link above. Obtain the download from any source. Then point GPG at the release annoucement (or the signature block from it, including the BEGIN and END lines). GPG will ask what file you want to verify, pick any of the ones listed in the signature certificate. It will then tell you if the release is identical to the release Jeff Garzik signed.

I downloaded GPG4Win and Kleopatra.  I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')

I download this file "SHA256SUMS.asc" located here: http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.5.3/

I right click "SHA256SUMS.asc", then select "Decrypt and Verify".  I select the bitcoin file "bitcoin-0.5.3.1-win32-setup.exe".

I get this message: "No signatures found."

What am I doing wrong?

░░░░░░░░░██████░░░░░░░░░░░░▄▄▄
░░███░░██████░░░░░▄▄▄▄▄░░██
░░███░░█████████████
░░░░░░░░██████▀▀██████████
░░░░░░░░██████░░░░░██████████
░░░░░░▄▄▄▄▄▄░░░▄▄▄░░░░███████
░░░░░██████░░░███░░░░███████
░░░░░██████░░░███
░░░░░███████▄▄▄▄▄████████
░░░░░████████████████████
░░▄▄▄▄▄░░█████░░░░█████████
█████░░█████░░░░█████████
█████░░░░░░░░░░░░█████████
█████░░░░░░░░░░░░░█████████

START GETTING PAID FOR YOUR ATTENTION!
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
JUSTICE IN THE WORLD OF ONLINE ADVERTISING!

BUY MASS COIN 】【 ICO PROSPECTUS
VISIT OUR WEBSITE
TWITTER 】【 FACEBOOK 】【 TELEGRAM

1480832368
Hero Member
*
Offline Offline

Posts: 1480832368

View Profile Personal Message (Offline)

Ignore
1480832368
Reply with quote  #2

1480832368
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
pc
Sr. Member
****
Offline Offline

Activity: 253


View Profile
March 21, 2012, 07:46:43 PM
 #2

This whole thing is definitely unintuitive. I'm not familiar with those GPG clients, but I may be able to help point you in the right direction. The SHA256SUMS.asc file isn't a detached signature, it's a plaintext file with a signature included, much like might be on an email. Does your software offer a plain "verify" feature?

Once you've verified that SHA256SUMS.asc is genuinely signed, then you can look in it to see that bitcoin-0.5.3.1-win32-setup.exe has a SHA-256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32. So now, you just need to make sure that your file in fact has that checksum.

I'm on a Mac, and the command I'd use for it here is "openssl dgst -sha256 bitcoin-0.5.3.1-win32-setup.exe". Openssl is cross-platform, but probably isn't installed on Windows by default. I don't know if there's something else likely already installed, or if your GPG software also has a way to find the SHA-256 of a file somewhere in there.

Hope this helps.
jake262144
Full Member
***
Offline Offline

Activity: 210


View Profile
March 22, 2012, 07:31:08 AM
 #3

I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')...
What am I doing wrong?
At the very least you need to import gavin's public key as well - the keys you might be interested in are neatly listed on bitcoin.org
jimbobway
Legendary
*
Offline Offline

Activity: 1380



View Profile
March 28, 2012, 11:00:02 PM
 #4

I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')...
What am I doing wrong?
At the very least you need to import gavin's public key as well - the keys you might be interested in are neatly listed on bitcoin.org

So I installed all of the GPG .asc certificates on the bitcoin.org homepage (Gavin's and others) into Kleopatra.  I repeated the steps:

Select "Decrypt and Verify".
Select the bitcoin file "bitcoin-0.5.3.1-win32-setup.exe".

I get the same  message: "No signatures found."

I will try downloading and installing OpenSSL and see where it gets me.  Thanks for the advice so far.

░░░░░░░░░██████░░░░░░░░░░░░▄▄▄
░░███░░██████░░░░░▄▄▄▄▄░░██
░░███░░█████████████
░░░░░░░░██████▀▀██████████
░░░░░░░░██████░░░░░██████████
░░░░░░▄▄▄▄▄▄░░░▄▄▄░░░░███████
░░░░░██████░░░███░░░░███████
░░░░░██████░░░███
░░░░░███████▄▄▄▄▄████████
░░░░░████████████████████
░░▄▄▄▄▄░░█████░░░░█████████
█████░░█████░░░░█████████
█████░░░░░░░░░░░░█████████
█████░░░░░░░░░░░░░█████████

START GETTING PAID FOR YOUR ATTENTION!
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
JUSTICE IN THE WORLD OF ONLINE ADVERTISING!

BUY MASS COIN 】【 ICO PROSPECTUS
VISIT OUR WEBSITE
TWITTER 】【 FACEBOOK 】【 TELEGRAM

jake262144
Full Member
***
Offline Offline

Activity: 210


View Profile
March 28, 2012, 11:40:52 PM
 #5

Umm... that's how I do it, only with command line programs:

First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself:
Code:
gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc

When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>") you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:
Code:
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32  bitcoin-0.5.3.1-win32-setup.exe
What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.

Now let's calculate the checksum of the actual installer:
Code:
sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32

Done.

HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.
jimbobway
Legendary
*
Offline Offline

Activity: 1380



View Profile
March 29, 2012, 08:42:36 PM
 #6

Where do you get these command line programs for windows?

Umm... that's how I do it, only with command line programs:

First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself:
Code:
gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc

When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>") you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:
Code:
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32  bitcoin-0.5.3.1-win32-setup.exe
What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.

Now let's calculate the checksum of the actual installer:
Code:
sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32

Done.

HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.


░░░░░░░░░██████░░░░░░░░░░░░▄▄▄
░░███░░██████░░░░░▄▄▄▄▄░░██
░░███░░█████████████
░░░░░░░░██████▀▀██████████
░░░░░░░░██████░░░░░██████████
░░░░░░▄▄▄▄▄▄░░░▄▄▄░░░░███████
░░░░░██████░░░███░░░░███████
░░░░░██████░░░███
░░░░░███████▄▄▄▄▄████████
░░░░░████████████████████
░░▄▄▄▄▄░░█████░░░░█████████
█████░░█████░░░░█████████
█████░░░░░░░░░░░░█████████
█████░░░░░░░░░░░░░█████████

START GETTING PAID FOR YOUR ATTENTION!
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
JUSTICE IN THE WORLD OF ONLINE ADVERTISING!

BUY MASS COIN 】【 ICO PROSPECTUS
VISIT OUR WEBSITE
TWITTER 】【 FACEBOOK 】【 TELEGRAM

jake262144
Full Member
***
Offline Offline

Activity: 210


View Profile
March 29, 2012, 10:32:18 PM
 #7

You already installed both of them by installing GPG4Win.
The default installation directory for Gpg4Win is C:\Program Files (x86)\GNU\GnuPG  (on 64-bit systems) or C:\Program Files\GNU\GnuPG  (32-bit systems)

If you cd to the installation directory both gpg.exe and sha25sum.exe will be in scope:
Code:
cd \Program Files (x86)\GNU\GnuPG
The last line is no mistake, you can use the backslash to denote the root directory of the currently chosen partition making the obnoxious c: drive letter redundant.

I recommend that you add c:\Program Files (x86)\GNU\GnuPG to your path so that sha256sum is always in scope.
jimbobway
Legendary
*
Offline Offline

Activity: 1380



View Profile
April 06, 2012, 06:06:37 AM
 #8

Here's what I did:

C:\>gpg --verify SHA256SUMS.asc
gpg: Signature made 03/16/12 13:01:01 Pacific Daylight Time using RSA key ID 1FC
730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail
.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1



Should I be worried about the warnings?  BTW, I did a sha256sum and it matches the one in the SHA256SUMS.asc file.  It is just the warning above that bugs me.  I also imported gavin's PGP and it imported ok.

I did some googling and found this: http://lists.gnupg.org/pipermail/gnupg-users/2009-March/035981.html

Says I need to do a "web-of-trust by doing some keysigning" of some sort.

Edit: Did some more googling.  Says, "The best method is to meet the developer in person and exchange key fingerprints."  Gavin, you want to meet up?  Ideas anybody?

░░░░░░░░░██████░░░░░░░░░░░░▄▄▄
░░███░░██████░░░░░▄▄▄▄▄░░██
░░███░░█████████████
░░░░░░░░██████▀▀██████████
░░░░░░░░██████░░░░░██████████
░░░░░░▄▄▄▄▄▄░░░▄▄▄░░░░███████
░░░░░██████░░░███░░░░███████
░░░░░██████░░░███
░░░░░███████▄▄▄▄▄████████
░░░░░████████████████████
░░▄▄▄▄▄░░█████░░░░█████████
█████░░█████░░░░█████████
█████░░░░░░░░░░░░█████████
█████░░░░░░░░░░░░░█████████

START GETTING PAID FOR YOUR ATTENTION!
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
JUSTICE IN THE WORLD OF ONLINE ADVERTISING!

BUY MASS COIN 】【 ICO PROSPECTUS
VISIT OUR WEBSITE
TWITTER 】【 FACEBOOK 】【 TELEGRAM

jake262144
Full Member
***
Offline Offline

Activity: 210


View Profile
April 06, 2012, 08:13:06 AM
 #9

Those warnings basically say
"Hey dude, Gavin says this file here is his public key but no trusted Certificate Authority is backing up the validity of this claim.
Tell Gavin to pony up some big bucks and make Verisign, Thawte, Comodo, Equifax, Hongkong Post, TurkTrust
(1), or DigiNotar(2) happy."


If a hacker were able to breach bitcoin.org's server and replace Gavin's public key and they were then able to breach the SourceForge repositories and replace the files with malicious ones, anyone validating the bad executables with the bad public key could be cheated into thinking that everything is fine.
In short, if a hacker gets full control over everything, we're screwed - film at 11.

For the record, the fingerprint of Gavin's public key is indeed 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1



Notes
(1) You may not have known but your system trusts hundreds of entities. From its POV Hongkong Post is just as trustworthy as Verisign. Better believe someone in Hongkong did their due dilligence when signing those SSL certificates.
(2) I put DigiNotar in as a joke; this CA fell victim to a hacker attack last year. As a result, they went keel up and sank.
     The SSL certificates the hackers were able to generate were inherently trusted by any machine in the world. So much for trusted CAs.
     You better believe TurkTrust and Hongkong Post really know what they are doing Grin
     There have been several initiatives to mitigate the flaws in the current trusted CA model.
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
September 27, 2012, 04:28:28 PM
 #10

Umm... that's how I do it, only with command line programs:

First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself:
Code:
gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc

When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>") you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:
Code:
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32  bitcoin-0.5.3.1-win32-setup.exe
What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.

Now let's calculate the checksum of the actual installer:
Code:
sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32

Done.

HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.


jake, do i need to install HashCalc to check the hash of the bitcoin-0.7.0-win32-setup.exe installer on my Win 7 machine?  i noticed that the link only says its good up to Win XP? 
flatfly
Hero Member
*****
Offline Offline

Activity: 938


View Profile
September 27, 2012, 06:53:33 PM
 #11

There are many other tools available, one example is SFVNinja

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
September 27, 2012, 07:17:55 PM
 #12

There are many other tools available, one example is SFVNinja

thanks.  actually HashCalc worked just fine.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!