jimbobway (OP)
Legendary
Offline
Activity: 1304
Merit: 1014
|
|
March 18, 2012, 11:40:37 PM |
|
I read this here to get started: http://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securelyJeff Garzik signs every release with his GPG key (also here). You can find release announcements (such as this one) on the SourceForge.net Bitcoin development list.
To verify the signature on a release, obtain the key from the link above. Obtain the release announcement from the link above. Obtain the download from any source. Then point GPG at the release annoucement (or the signature block from it, including the BEGIN and END lines). GPG will ask what file you want to verify, pick any of the ones listed in the signature certificate. It will then tell you if the release is identical to the release Jeff Garzik signed. I downloaded GPG4Win and Kleopatra. I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8') I download this file "SHA256SUMS.asc" located here: http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.5.3/I right click "SHA256SUMS.asc", then select "Decrypt and Verify". I select the bitcoin file "bitcoin-0.5.3.1-win32-setup.exe". I get this message: "No signatures found." What am I doing wrong?
|
|
|
|
|
|
|
I HATE TABLES I HATE TABLES I HA(╯°□°)╯︵ ┻━┻ TABLES I HATE TABLES I HATE TABLES
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
pc
|
|
March 21, 2012, 07:46:43 PM |
|
This whole thing is definitely unintuitive. I'm not familiar with those GPG clients, but I may be able to help point you in the right direction. The SHA256SUMS.asc file isn't a detached signature, it's a plaintext file with a signature included, much like might be on an email. Does your software offer a plain "verify" feature?
Once you've verified that SHA256SUMS.asc is genuinely signed, then you can look in it to see that bitcoin-0.5.3.1-win32-setup.exe has a SHA-256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32. So now, you just need to make sure that your file in fact has that checksum.
I'm on a Mac, and the command I'd use for it here is "openssl dgst -sha256 bitcoin-0.5.3.1-win32-setup.exe". Openssl is cross-platform, but probably isn't installed on Windows by default. I don't know if there's something else likely already installed, or if your GPG software also has a way to find the SHA-256 of a file somewhere in there.
Hope this helps.
|
|
|
|
jake262144
|
|
March 22, 2012, 07:31:08 AM |
|
I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')... What am I doing wrong?
At the very least you need to import gavin's public key as well - the keys you might be interested in are neatly listed on bitcoin.org
|
|
|
|
jimbobway (OP)
Legendary
Offline
Activity: 1304
Merit: 1014
|
|
March 28, 2012, 11:00:02 PM |
|
I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')... What am I doing wrong?
At the very least you need to import gavin's public key as well - the keys you might be interested in are neatly listed on bitcoin.orgSo I installed all of the GPG .asc certificates on the bitcoin.org homepage (Gavin's and others) into Kleopatra. I repeated the steps: Select "Decrypt and Verify". Select the bitcoin file "bitcoin-0.5.3.1-win32-setup.exe". I get the same message: "No signatures found." I will try downloading and installing OpenSSL and see where it gets me. Thanks for the advice so far.
|
|
|
|
jake262144
|
|
March 28, 2012, 11:40:52 PM |
|
Umm... that's how I do it, only with command line programs: First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself: gpg --import c:\wherever\gavinandresen.asc gpg --verify c:\wherever\sha256sums.asc When gpg is happy ( gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>") you can take a peek inside the SHA256SUMS.asc file. You will find, amongst other things, this line: 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32 bitcoin-0.5.3.1-win32-setup.exe What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32. The digital signature guarantees this information is correct and has not been tampered with. Now let's calculate the checksum of the actual installer: sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32Done. HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.
|
|
|
|
jimbobway (OP)
Legendary
Offline
Activity: 1304
Merit: 1014
|
|
March 29, 2012, 08:42:36 PM |
|
Where do you get these command line programs for windows? Umm... that's how I do it, only with command line programs: First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself: gpg --import c:\wherever\gavinandresen.asc gpg --verify c:\wherever\sha256sums.asc When gpg is happy ( gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>") you can take a peek inside the SHA256SUMS.asc file. You will find, amongst other things, this line: 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32 bitcoin-0.5.3.1-win32-setup.exe What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32. The digital signature guarantees this information is correct and has not been tampered with. Now let's calculate the checksum of the actual installer: sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32Done. HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.
|
|
|
|
jake262144
|
|
March 29, 2012, 10:32:18 PM Last edit: March 29, 2012, 10:50:29 PM by jake262144 |
|
You already installed both of them by installing GPG4Win. The default installation directory for Gpg4Win is C:\Program Files (x86)\GNU\GnuPG (on 64-bit systems) or C:\Program Files\GNU\GnuPG (32-bit systems) If you cd to the installation directory both gpg.exe and sha25sum.exe will be in scope: cd \Program Files (x86)\GNU\GnuPG The last line is no mistake, you can use the backslash to denote the root directory of the currently chosen partition making the obnoxious c: drive letter redundant. I recommend that you add c:\Program Files (x86)\GNU\GnuPG to your path so that sha256sum is always in scope.
|
|
|
|
jimbobway (OP)
Legendary
Offline
Activity: 1304
Merit: 1014
|
|
April 06, 2012, 06:06:37 AM |
|
Here's what I did: C:\>gpg --verify SHA256SUMS.asc gpg: Signature made 03/16/12 13:01:01 Pacific Daylight Time using RSA key ID 1FC 730C1 gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail .com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2664 6D99 CBAE C9B8 1982 EF60 29D9 EE6B 1FC7 30C1Should I be worried about the warnings? BTW, I did a sha256sum and it matches the one in the SHA256SUMS.asc file. It is just the warning above that bugs me. I also imported gavin's PGP and it imported ok. I did some googling and found this: http://lists.gnupg.org/pipermail/gnupg-users/2009-March/035981.htmlSays I need to do a "web-of-trust by doing some keysigning" of some sort. Edit: Did some more googling. Says, "The best method is to meet the developer in person and exchange key fingerprints." Gavin, you want to meet up? Ideas anybody?
|
|
|
|
jake262144
|
|
April 06, 2012, 08:13:06 AM |
|
Those warnings basically say "Hey dude, Gavin says this file here is his public key but no trusted Certificate Authority is backing up the validity of this claim. Tell Gavin to pony up some big bucks and make Verisign, Thawte, Comodo, Equifax, Hongkong Post, TurkTrust(1), or DigiNotar(2) happy."If a hacker were able to breach bitcoin.org's server and replace Gavin's public key and they were then able to breach the SourceForge repositories and replace the files with malicious ones, anyone validating the bad executables with the bad public key could be cheated into thinking that everything is fine. In short, if a hacker gets full control over everything, we're screwed - film at 11. For the record, the fingerprint of Gavin's public key is indeed 2664 6D99 CBAE C9B8 1982 EF60 29D9 EE6B 1FC7 30C1Notes (1) You may not have known but your system trusts hundreds of entities. From its POV Hongkong Post is just as trustworthy as Verisign. Better believe someone in Hongkong did their due dilligence when signing those SSL certificates. (2) I put DigiNotar in as a joke; this CA fell victim to a hacker attack last year. As a result, they went keel up and sank. The SSL certificates the hackers were able to generate were inherently trusted by any machine in the world. So much for trusted CAs. You better believe TurkTrust and Hongkong Post really know what they are doing There have been several initiatives to mitigate the flaws in the current trusted CA model.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
September 27, 2012, 04:28:28 PM |
|
Umm... that's how I do it, only with command line programs: First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself: gpg --import c:\wherever\gavinandresen.asc gpg --verify c:\wherever\sha256sums.asc When gpg is happy ( gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>") you can take a peek inside the SHA256SUMS.asc file. You will find, amongst other things, this line: 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32 bitcoin-0.5.3.1-win32-setup.exe What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32. The digital signature guarantees this information is correct and has not been tampered with. Now let's calculate the checksum of the actual installer: sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32Done. HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need. jake, do i need to install HashCalc to check the hash of the bitcoin-0.7.0-win32-setup.exe installer on my Win 7 machine? i noticed that the link only says its good up to Win XP?
|
|
|
|
flatfly
Legendary
Offline
Activity: 1078
Merit: 1011
760930
|
|
September 27, 2012, 06:53:33 PM |
|
There are many other tools available, one example is SFVNinja
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
September 27, 2012, 07:17:55 PM |
|
There are many other tools available, one example is SFVNinja
thanks. actually HashCalc worked just fine.
|
|
|
|
|