Bitcoin Forum
November 12, 2024, 09:22:25 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Bitcoin core 0.1 not signed  (Read 1674 times)
Amph (OP)
Legendary
*
Offline Offline

Activity: 3248
Merit: 1070



View Profile
March 04, 2015, 08:29:08 AM
 #1

this last version of bitcoin core is still not signed, under windows 7 it pop up the typical message of untrustworthy sign(unknown publisher bla bla)

9.3 was good in that regard
Amph (OP)
Legendary
*
Offline Offline

Activity: 3248
Merit: 1070



View Profile
March 05, 2015, 08:03:07 AM
 #2

so no one has the same problem? i'm ended up remove the check for the messagge

but the problem is still there
Blazr
Hero Member
*****
Offline Offline

Activity: 882
Merit: 1006



View Profile
March 05, 2015, 08:24:22 AM
Last edit: March 05, 2015, 02:51:17 PM by Blazr
 #3

They are signed with PGP. We're the other binaries signed by the built-in Windows checker?

Here is how you verify the PGP signatures, though admittedly this is harder to do on Windows than Linux:

-Download gnupg4win (or use the 'gpg' command if on Linux, comes preinstalled on most distro's).
-Get a copy of lead developer Wladimir van der Laan's public key: https://bitcoin.org/en/development
- open command line and import it with gpg --import <file>
-Get a copy of the PGP signed hashes here: https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc
-Open a commandline and verify it using gpg --verify <file>
-If you get good signature, open the file with notepad and look for the name of your binary, the bit to the left is the hash of the file.
-Calculate the hash of your binary, you can use fciv or openssl (openssl sha256 <file>) if you have it installed, and compare if against the hash in the signed message, if they match your copy is good.
-For extra safety, verify you have the right key for Wladimir by sourcing it from multiple locations.

Amph (OP)
Legendary
*
Offline Offline

Activity: 3248
Merit: 1070



View Profile
March 05, 2015, 02:23:34 PM
 #4

yeah the other binaries are signed with Windows, you can check yourself for 0.9.3

i'll try your suggest, thank you
grue
Legendary
*
Offline Offline

Activity: 2058
Merit: 1452



View Profile
March 05, 2015, 04:50:30 PM
 #5

but they are signed


the actual executables are not signed, but that was always the case.

It is pitch black. You are likely to be eaten by a grue.

Adblock for annoying signature ads | Enhanced Merit UI
cakir
Legendary
*
Offline Offline

Activity: 1274
Merit: 1000


★ BitClave ICO: 15/09/17 ★


View Profile WWW
March 05, 2015, 05:12:01 PM
 #6

Bitcoin-qt.exe is not signed. But setup is signed, so I think that's not a big deal.
Ps: I've checked only x64 versions;


I used this tool: https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx


                  ,'#██+:                 
              ,█████████████'             
            +██████████████████           
          ;██████████████████████         
         ███████:         .███████`       
        ██████               ;█████'      
      `█████                   #████#     
      ████+                     `████+    
     ████:                        ████,   
    ████:    .#              █     ████   
   ;███+     ██             ███     ████  
   ████     ███'            ███.    '███, 
  +███     #████           ,████     ████ 
  ████     █████ .+██████: █████+    `███.
 ,███     ███████████████████████     ████
 ████     ███████████████████████'    :███
 ███:    +████████████████████████     ███`
 ███     █████████████████████████`    ███+
,███     ██████████████████████████    #███
'███    '██████████████████████████    ;███
#███    ███████████████████████████    ,███
████    ███████████████████████████.   .███
████    ███████████████████████████'   .███
+███    ███████████████████████████+   :███
:███    ███████████████████████████'   +███
 ███    ███████████████████████████.   ███#
 ███.   #██████████████████████████    ███,
 ████    █████████████████████████+   `███
 '███    '████████████████████████    ████
  ███;    ███████████████████████     ███;
  ████     #████████████████████     ████ 
   ███#     .██████████████████     `███+ 
   ████`      ;██████████████       ████  
    ████         '███████#.        ████.  
    .████                         █████   
     '████                       █████    
      #████'                    █████     
       +█████`                ██████      
        ,██████:           `███████       
          ████████#;,..:+████████.        
           ,███████████████████+          
             .███████████████;            
                `+███████#,               
BillyBobZorton
Legendary
*
Offline Offline

Activity: 1204
Merit: 1028


View Profile
March 05, 2015, 05:15:34 PM
 #7

As long as the hash matches with the download from the official website you are good to go.
Blazr
Hero Member
*****
Offline Offline

Activity: 882
Merit: 1006



View Profile
March 05, 2015, 07:15:30 PM
 #8

As long as the hash matches with the download from the official website you are good to go.

What if the website has been hacked and the hacker has replaced the download with one that contains a backdoor and then changed the hash?

If you want to be sure your copy of a Bitcoin client hasn't been tampered with you really need to verify it is signed with a trusted key.

Newar
Legendary
*
Offline Offline

Activity: 1358
Merit: 1001


https://gliph.me/hUF


View Profile
March 06, 2015, 01:57:02 PM
 #9


Hashes are also published at https://github.com/bitcoin/gitian.sigs  So the hacker would have to change those too.

The release hashes are GPG signed https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc   Another thing you can check.

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
btchris
Hero Member
*****
Offline Offline

Activity: 672
Merit: 504

a.k.a. gurnec on GitHub


View Profile WWW
March 06, 2015, 11:50:57 PM
 #10

This version of HashCheck (full disclosure: this is my repo1) supports SHA-256, and can be used to check hashes on Windows: https://github.com/gurnec/HashCheck/releases

Just download the .asc file from https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc and/or https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc into the same directory as the installer or archive, and double-click it.



Verifying the PGP signatures (as Blazr detailed) is more secure, though.

What if the website has been hacked and the hacker has replaced the download with one that contains a backdoor and then changed the hash?

If you want to be sure your copy of a Bitcoin client hasn't been tampered with you really need to verify it is signed with a trusted key.

Agreed.


[1] It's my repo, but all credits for HashCheck go to its original author, Kai Liu. I only added SHA-256 support.
Amph (OP)
Legendary
*
Offline Offline

Activity: 3248
Merit: 1070



View Profile
March 08, 2015, 10:37:01 AM
 #11

but they are signed


the actual executables are not signed, but that was always the case.

not with 0.9.3(or even older version), at least on windows 7

for everyone, i'm talking about the exe

As long as the hash matches with the download from the official website you are good to go.

yeah, but i don' like when that windows msg pop up, just a personal thing
Kimochii
Full Member
***
Offline Offline

Activity: 168
Merit: 100

Professional Gamer


View Profile WWW
March 10, 2015, 07:24:32 AM
 #12



yeah, but i don' like when that windows msg pop up, just a personal thing
It is indeed.

Cryptowatch.com
Full Member
***
Offline Offline

Activity: 196
Merit: 103


View Profile WWW
March 10, 2015, 10:06:00 AM
 #13

yeah, but i don' like when that windows msg pop up, just a personal thing

Just as a side note, with no intention of derailing the thread completely. You might want to look into using a Linux distro as a desktop OS. In general security is better than on windows, and you're supporting the same philosophy that underpins bitcoin, ie. freedom and choice. For linux you also have the possibility of looking at the source code and many do daily, whereas with Windows, you just have to trust a single company. Updates are more frequent for linux-distros. As for user friendliness, linux has really come a long way these days. Malware and other nasties is mostly aimed at platforms where the most users are, so that would be Windows. In addition to the newest linux distro's being user-friendly, it's quite possible to look under the hood, and thinker with everything you want to adjust, *nix variants are highly customizable. So if you don't mind the learning experience and jumping into the unknown (assuming you're unfamiliar with linux), I can greatly recommend trying it out. There are even installers meaning you can install linux directly from windows, without a problem, and even run the operating systems in parallel. If you don't want to get rid of windows, but just want to try it out, you could as well install a virtual machine like wmware or similar, and try it out that way, or you could get a cheap VPS to learn to work on the command line.

/my 2 cents.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!