Amph (OP)
Legendary
Offline
Activity: 3248
Merit: 1070
|
|
March 04, 2015, 08:29:08 AM |
|
this last version of bitcoin core is still not signed, under windows 7 it pop up the typical message of untrustworthy sign(unknown publisher bla bla)
9.3 was good in that regard
|
|
|
|
Amph (OP)
Legendary
Offline
Activity: 3248
Merit: 1070
|
|
March 05, 2015, 08:03:07 AM |
|
so no one has the same problem? i'm ended up remove the check for the messagge
but the problem is still there
|
|
|
|
Blazr
|
|
March 05, 2015, 08:24:22 AM Last edit: March 05, 2015, 02:51:17 PM by Blazr |
|
They are signed with PGP. We're the other binaries signed by the built-in Windows checker? Here is how you verify the PGP signatures, though admittedly this is harder to do on Windows than Linux: -Download gnupg4win (or use the 'gpg' command if on Linux, comes preinstalled on most distro's). -Get a copy of lead developer Wladimir van der Laan's public key: https://bitcoin.org/en/development- open command line and import it with gpg --import <file> -Get a copy of the PGP signed hashes here: https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc-Open a commandline and verify it using gpg --verify <file> -If you get good signature, open the file with notepad and look for the name of your binary, the bit to the left is the hash of the file. -Calculate the hash of your binary, you can use fciv or openssl (openssl sha256 <file>) if you have it installed, and compare if against the hash in the signed message, if they match your copy is good. -For extra safety, verify you have the right key for Wladimir by sourcing it from multiple locations.
|
|
|
|
Amph (OP)
Legendary
Offline
Activity: 3248
Merit: 1070
|
|
March 05, 2015, 02:23:34 PM |
|
yeah the other binaries are signed with Windows, you can check yourself for 0.9.3
i'll try your suggest, thank you
|
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
March 05, 2015, 04:50:30 PM |
|
but they are signed the actual executables are not signed, but that was always the case.
|
|
|
|
cakir
Legendary
Offline
Activity: 1274
Merit: 1000
★ BitClave ICO: 15/09/17 ★
|
|
March 05, 2015, 05:12:01 PM |
|
Bitcoin-qt.exe is not signed. But setup is signed, so I think that's not a big deal. Ps: I've checked only x64 versions; I used this tool: https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx
|
|
|
|
| ,'#██+: ,█████████████' +██████████████████ ;██████████████████████ ███████: .███████` ██████ ;█████' `█████ #████# ████+ `████+ ████: ████, ████: .# █ ████ ;███+ ██ ███ ████ ████ ███' ███. '███, +███ #████ ,████ ████ ████ █████ .+██████: █████+ `███. ,███ ███████████████████████ ████ ████ ███████████████████████' :███ ███: +████████████████████████ ███` ███ █████████████████████████` ███+ ,███ ██████████████████████████ #███ '███ '██████████████████████████ ;███ #███ ███████████████████████████ ,███ ████ ███████████████████████████. .███ ████ ███████████████████████████' .███ +███ ███████████████████████████+ :███ :███ ███████████████████████████' +███ ███ ███████████████████████████. ███# ███. #██████████████████████████ ███, ████ █████████████████████████+ `███ '███ '████████████████████████ ████ ███; ███████████████████████ ███; ████ #████████████████████ ████ ███# .██████████████████ `███+ ████` ;██████████████ ████ ████ '███████#. ████. .████ █████ '████ █████ #████' █████ +█████` ██████ ,██████: `███████ ████████#;,..:+████████. ,███████████████████+ .███████████████; `+███████#,
| |
|
|
|
BillyBobZorton
Legendary
Offline
Activity: 1204
Merit: 1028
|
|
March 05, 2015, 05:15:34 PM |
|
As long as the hash matches with the download from the official website you are good to go.
|
|
|
|
Blazr
|
|
March 05, 2015, 07:15:30 PM |
|
As long as the hash matches with the download from the official website you are good to go.
What if the website has been hacked and the hacker has replaced the download with one that contains a backdoor and then changed the hash? If you want to be sure your copy of a Bitcoin client hasn't been tampered with you really need to verify it is signed with a trusted key.
|
|
|
|
|
btchris
|
|
March 06, 2015, 11:50:57 PM |
|
This version of HashCheck (full disclosure: this is my repo 1) supports SHA-256, and can be used to check hashes on Windows: https://github.com/gurnec/HashCheck/releasesJust download the .asc file from https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc and/or https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc into the same directory as the installer or archive, and double-click it. Verifying the PGP signatures (as Blazr detailed) is more secure, though. What if the website has been hacked and the hacker has replaced the download with one that contains a backdoor and then changed the hash?
If you want to be sure your copy of a Bitcoin client hasn't been tampered with you really need to verify it is signed with a trusted key.
Agreed. [1] It's my repo, but all credits for HashCheck go to its original author, Kai Liu. I only added SHA-256 support.
|
|
|
|
Amph (OP)
Legendary
Offline
Activity: 3248
Merit: 1070
|
|
March 08, 2015, 10:37:01 AM |
|
but they are signed the actual executables are not signed, but that was always the case. not with 0.9.3(or even older version), at least on windows 7 for everyone, i'm talking about the exe As long as the hash matches with the download from the official website you are good to go.
yeah, but i don' like when that windows msg pop up, just a personal thing
|
|
|
|
Kimochii
Full Member
Offline
Activity: 168
Merit: 100
Professional Gamer
|
|
March 10, 2015, 07:24:32 AM |
|
yeah, but i don' like when that windows msg pop up, just a personal thing
It is indeed.
|
|
|
|
Cryptowatch.com
|
|
March 10, 2015, 10:06:00 AM |
|
yeah, but i don' like when that windows msg pop up, just a personal thing
Just as a side note, with no intention of derailing the thread completely. You might want to look into using a Linux distro as a desktop OS. In general security is better than on windows, and you're supporting the same philosophy that underpins bitcoin, ie. freedom and choice. For linux you also have the possibility of looking at the source code and many do daily, whereas with Windows, you just have to trust a single company. Updates are more frequent for linux-distros. As for user friendliness, linux has really come a long way these days. Malware and other nasties is mostly aimed at platforms where the most users are, so that would be Windows. In addition to the newest linux distro's being user-friendly, it's quite possible to look under the hood, and thinker with everything you want to adjust, *nix variants are highly customizable. So if you don't mind the learning experience and jumping into the unknown (assuming you're unfamiliar with linux), I can greatly recommend trying it out. There are even installers meaning you can install linux directly from windows, without a problem, and even run the operating systems in parallel. If you don't want to get rid of windows, but just want to try it out, you could as well install a virtual machine like wmware or similar, and try it out that way, or you could get a cheap VPS to learn to work on the command line. /my 2 cents.
|
|
|
|
|