Add script to contrib/ that verifies authenticity of binaries hosted on SourceForge #1935

Merged
merged 1 commit into from Oct 29, 2012

Projects

None yet

4 participants

@runeksvendsen
Contributor

This script downloads the SHA256SUMS.asc file from SourceForge for a given release (version can be specified on the command line), which contains Gavin's signature of the hashes of the Bitcoin binaries. It verifies that the signature is valid, downloads the files specified in the signature file, and checks that the hashes of these files match with those signed by Gavin.

@luke-jr luke-jr commented on the diff Oct 15, 2012
contrib/verifysfbinaries/verify.sh
+
+#then we check it
+GPGOUT=$(gpg --yes --decrypt --output "$TMPFILE" "$SIGNATUREFILENAME" 2>&1)
+
+#return value 0: good signature
+#return value 1: bad signature
+#return value 2: gpg error
+
+RET="$?"
+if [ $RET -ne 0 ]; then
+ if [ $RET -eq 1 ]; then
+ #and notify the user if it's bad
+ echo "Bad signature."
+ elif [ $RET -eq 2 ]; then
+ #or if a gpg error has occured
+ echo "gpg error. Do you have Gavin's code signing key installed?"
luke-jr
luke-jr Oct 15, 2012 Member

Not all releases are signed by Gavin (notably stable/backport releases are not), and users probably shouldn't be expected to setup the key themselves anyway. There are a bunch of PGP keys in git already for verifying against - any way to use those easily?

runeksvendsen
runeksvendsen Oct 15, 2012 Contributor

0.7.0 is signed by Gavin. Is that not a stable release?
I considered including installation of the key in the script, but I figured it was preferable to let the users install these by themselves. But now that you point it out, I'm not sure why the script shouldn't just install if it reaches the line above.

Where are those PGP keys in git that you mention? Also, I'd have to know who signs what with which keys in order to know how to use them.

It would be better if all the heavily involved developers sign the executables. That way it'd be even harder for an attacker to somehow get past this (by getting hold of Gavin's key, for example).

luke-jr
luke-jr Oct 15, 2012 Member

0.7.0 is a first-time stable release: it's built off master, not a stable branch.

I wouldn't suggest touching the user's PGP setup, but verifying without touching it. If GPG really needs to keep keys somewhere, ~/.bitcoin/.gnupg or similar makes sense.

contrib/gitian-downloader contains PGP keys. There's also a git repository here on GitHub with signatures of multiple developers for most releases which would be better to use than the SHA256SUMS file (which can only have one signature).

gavinandresen
gavinandresen Oct 15, 2012 Contributor

... but we don't want Runek to end up reinventing gitian-downloader, and I hate making 'perfect the enemy of the good'.

So I vote this gets pulled as-is, because it is much better than the nothing we have now.

runeksvendsen
runeksvendsen Oct 15, 2012 Contributor

I wouldn't suggest touching the user's PGP setup, but verifying without touching it. If GPG really needs to keep keys somewhere, ~/.bitcoin/.gnupg or similar makes sense.

OK. Then I misunderstood you. So you're saying the script should pull in a public key from a remote location and use that to verify? That makes sense.
This would create another point of attack though. I figured the best way was to let the users who run the script store the keys themselves, so these can't be modified easily by an adversary.

contrib/gitian-downloader contains PGP keys. There's also a git repository here on GitHub with signatures of multiple developers for most releases which would be better to use than the SHA256SUMS file (which can only have one signature).

The threat that this script tries to mitigate is that of an adversary replacing the binaries on SourceForge (I made it after reading this thread: https://bitcointalk.org/index.php?topic=113018.0). So the devs in question need to sign the binaries that are linked to on bitcoin.org. Is this the case wrt. to the git repo you're referencing?
As far as I can see, this is not what is signed in this repo at least: https://github.com/bitcoin/gitian.sigs/ - is this the repository you're talking about?

luke-jr
luke-jr Oct 15, 2012 Member

No, since this script is going into the git repository, it should be able to assume it has the PGP keys in that directory already. I just mean touching the user's personal PGP key library is probably a bad idea.

https://github.com/bitcoin/gitian.sigs should match the binaries on SF: the installers as-is, and the contents of the ZIP files and tarballs.

@gavinandresen ACK, you're right this would probably end up equivalent and doesn't do any harm to pull as-is.

Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/de91ea0c0c2fead60bfe9a531558cbe1c562346e for binaries and test log.

@gavinandresen gavinandresen merged commit a77bcad into bitcoin:master Oct 29, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment