Topic: Bitcoin core 0.1 not signed (Read 1657 times)

Just as a side note, with no intention of derailing the thread completely. You might want to look into using a Linux distro as a desktop OS. In general security is better than on windows, and you're supporting the same philosophy that underpins bitcoin, ie. freedom and choice. For linux you also have the possibility of looking at the source code and many do daily, whereas with Windows, you just have to trust a single company. Updates are more frequent for linux-distros. As for user friendliness, linux has really come a long way these days. Malware and other nasties is mostly aimed at platforms where the most users are, so that would be Windows. In addition to the newest linux distro's being user-friendly, it's quite possible to look under the hood, and thinker with everything you want to adjust, *nix variants are highly customizable. So if you don't mind the learning experience and jumping into the unknown (assuming you're unfamiliar with linux), I can greatly recommend trying it out. There are even installers meaning you can install linux directly from windows, without a problem, and even run the operating systems in parallel. If you don't want to get rid of windows, but just want to try it out, you could as well install a virtual machine like wmware or similar, and try it out that way, or you could get a cheap VPS to learn to work on the command line.

/my 2 cents.

It is indeed.

not with 0.9.3(or even older version), at least on windows 7

for everyone, i'm talking about the exe


yeah, but i don' like when that windows msg pop up, just a personal thing

This version of HashCheck (full disclosure: this is my repo¹) supports SHA-256, and can be used to check hashes on Windows: https://github.com/gurnec/HashCheck/releases

Just download the .asc file from https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc and/or https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc into the same directory as the installer or archive, and double-click it.



Verifying the PGP signatures (as Blazr detailed) is more secure, though.


Agreed.


[1] It's my repo, but all credits for HashCheck go to its original author, Kai Liu. I only added SHA-256 support.

Hashes are also published at https://github.com/bitcoin/gitian.sigs  So the hacker would have to change those too.

The release hashes are GPG signed https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc   Another thing you can check.

What if the website has been hacked and the hacker has replaced the download with one that contains a backdoor and then changed the hash?

If you want to be sure your copy of a Bitcoin client hasn't been tampered with you really need to verify it is signed with a trusted key.

As long as the hash matches with the download from the official website you are good to go.

Bitcoin-qt.exe is not signed. But setup is signed, so I think that's not a big deal.
Ps: I've checked only x64 versions;


I used this tool: https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

but they are signed


the actual executables are not signed, but that was always the case.

yeah the other binaries are signed with Windows, you can check yourself for 0.9.3

i'll try your suggest, thank you

They are signed with PGP. We're the other binaries signed by the built-in Windows checker?

Here is how you verify the PGP signatures, though admittedly this is harder to do on Windows than Linux:

-Download gnupg4win (or use the 'gpg' command if on Linux, comes preinstalled on most distro's).
-Get a copy of lead developer Wladimir van der Laan's public key: https://bitcoin.org/en/development
- open command line and import it with gpg --import
-Get a copy of the PGP signed hashes here: https://bitcoin.org/bin/bitcoin-core-0.10.0/SHA256SUMS.asc
-Open a commandline and verify it using gpg --verify
-If you get good signature, open the file with notepad and look for the name of your binary, the bit to the left is the hash of the file.
-Calculate the hash of your binary, you can use fciv or openssl (openssl sha256 ) if you have it installed, and compare if against the hash in the signed message, if they match your copy is good.
-For extra safety, verify you have the right key for Wladimir by sourcing it from multiple locations.

so no one has the same problem? i'm ended up remove the check for the messagge

but the problem is still there

this last version of bitcoin core is still not signed, under windows 7 it pop up the typical message of untrustworthy sign(unknown publisher bla bla)

9.3 was good in that regard