Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add script to contrib/ that verifies authenticity of binaries hosted on SourceForge #1935

Merged
merged 1 commit into from Oct 29, 2012

Conversation

Projects
None yet
4 participants
@runeksvendsen
Copy link
Contributor

runeksvendsen commented Oct 15, 2012

This script downloads the SHA256SUMS.asc file from SourceForge for a given release (version can be specified on the command line), which contains Gavin's signature of the hashes of the Bitcoin binaries. It verifies that the signature is valid, downloads the files specified in the signature file, and checks that the hashes of these files match with those signed by Gavin.

echo "Bad signature."
elif [ $RET -eq 2 ]; then
#or if a gpg error has occured
echo "gpg error. Do you have Gavin's code signing key installed?"

This comment has been minimized.

Copy link
@luke-jr

luke-jr Oct 15, 2012

Member

Not all releases are signed by Gavin (notably stable/backport releases are not), and users probably shouldn't be expected to setup the key themselves anyway. There are a bunch of PGP keys in git already for verifying against - any way to use those easily?

This comment has been minimized.

Copy link
@runeksvendsen

runeksvendsen Oct 15, 2012

Author Contributor

0.7.0 is signed by Gavin. Is that not a stable release?
I considered including installation of the key in the script, but I figured it was preferable to let the users install these by themselves. But now that you point it out, I'm not sure why the script shouldn't just install if it reaches the line above.

Where are those PGP keys in git that you mention? Also, I'd have to know who signs what with which keys in order to know how to use them.

It would be better if all the heavily involved developers sign the executables. That way it'd be even harder for an attacker to somehow get past this (by getting hold of Gavin's key, for example).

This comment has been minimized.

Copy link
@luke-jr

luke-jr Oct 15, 2012

Member

0.7.0 is a first-time stable release: it's built off master, not a stable branch.

I wouldn't suggest touching the user's PGP setup, but verifying without touching it. If GPG really needs to keep keys somewhere, ~/.bitcoin/.gnupg or similar makes sense.

contrib/gitian-downloader contains PGP keys. There's also a git repository here on GitHub with signatures of multiple developers for most releases which would be better to use than the SHA256SUMS file (which can only have one signature).

This comment has been minimized.

Copy link
@gavinandresen

gavinandresen Oct 15, 2012

Contributor

... but we don't want Runek to end up reinventing gitian-downloader, and I hate making 'perfect the enemy of the good'.

So I vote this gets pulled as-is, because it is much better than the nothing we have now.

This comment has been minimized.

Copy link
@runeksvendsen

runeksvendsen Oct 15, 2012

Author Contributor

I wouldn't suggest touching the user's PGP setup, but verifying without touching it. If GPG really needs to keep keys somewhere, ~/.bitcoin/.gnupg or similar makes sense.

OK. Then I misunderstood you. So you're saying the script should pull in a public key from a remote location and use that to verify? That makes sense.
This would create another point of attack though. I figured the best way was to let the users who run the script store the keys themselves, so these can't be modified easily by an adversary.

contrib/gitian-downloader contains PGP keys. There's also a git repository here on GitHub with signatures of multiple developers for most releases which would be better to use than the SHA256SUMS file (which can only have one signature).

The threat that this script tries to mitigate is that of an adversary replacing the binaries on SourceForge (I made it after reading this thread: https://bitcointalk.org/index.php?topic=113018.0). So the devs in question need to sign the binaries that are linked to on bitcoin.org. Is this the case wrt. to the git repo you're referencing?
As far as I can see, this is not what is signed in this repo at least: https://github.com/bitcoin/gitian.sigs/ - is this the repository you're talking about?

This comment has been minimized.

Copy link
@luke-jr

luke-jr Oct 15, 2012

Member

No, since this script is going into the git repository, it should be able to assume it has the PGP keys in that directory already. I just mean touching the user's personal PGP key library is probably a bad idea.

https://github.com/bitcoin/gitian.sigs should match the binaries on SF: the installers as-is, and the contents of the ZIP files and tarballs.

@gavinandresen ACK, you're right this would probably end up equivalent and doesn't do any harm to pull as-is.

@BitcoinPullTester

This comment has been minimized.

Copy link

BitcoinPullTester commented Oct 19, 2012

Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/de91ea0c0c2fead60bfe9a531558cbe1c562346e for binaries and test log.

gavinandresen added a commit that referenced this pull request Oct 29, 2012

Merge pull request #1935 from runeksvendsen/master
Add script to contrib/ that verifies authenticity of binaries hosted on SourceForge

@gavinandresen gavinandresen merged commit a77bcad into bitcoin:master Oct 29, 2012

laudney pushed a commit to reddcoin-project/reddcoin that referenced this pull request Mar 19, 2014

Merge pull request bitcoin#1935 from runeksvendsen/master
Add script to contrib/ that verifies authenticity of binaries hosted on SourceForge
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.