Topic: Bitcoin Signed Binaries - page 3. (Read 5411 times)

auto-update = super bad idea. if a attacker can compromise the script, he can make tons of rouge clients.

On 0.4.0 PGP signing:
Starting with 0.4.0, the bitcoin releases on Win32 will be generated deterministically (assuming me/devrandom have enough time to code the specifics) and signed by all the Bitcoin developers who have the ability to do so.  The "installer" will then install a minimal script and the relevant dependencies to the Bitcoin folder and then run that script.  That script then downloads the latest version of Bitcoin and checks that enough signatures are on it for it to be considered trusted and install that version.  The script will (hopefully) also be used to update bitcoin when new versions come out.

On code signing:
This one is a bit more difficult.  Because Bitcoin will be built deterministically, we have two options.  A. send the code signing private key around to all the devs for that to be a part of the building process (this is even harder as the building happens on Linux via the MinGW cross compiler) or B. find a way to strip out the code signing certificate in the download script and then check the stripped version instead of the signed version.  I googled this pretty quick and saw no simple CLI program which will do this, but I might have missed something as I didnt spend too much time on it.  If anyone finds something, please tell me. 

The $180 price includes my reseller discount and $25 of my own money.  I feel comfortable with that level of assistance.

any chance you can donate this certificate to the bitcoin community?

Not everybody has PGP installed.

There's also the Certificate for Individuals which retails at $99, but I'm not sure if that's appropriate for this purpose.

[edit]

I will sell this one for $50, but it will have the name of an individual on the certificate, not an organization.

http://www.globalsign.com/code-signing/buy-code-signing-for-individual-developers.html

I am a GlobalSign reseller and I will sell a Microsoft Authenticode Code Signing Certificate for the BTC equivalent of $180 USD.  The retail price for this certificate is $229.

Ontopic, I downloaded a RC bitcoin client from sourceforge, and NOD32 stopped the download because it got a PE/NewHeur trojan warning. None of the other releases give this warning. How can we be sure the binaries published on the official source control hubs are free of malware?

No, the binaries should be signed for the AV reasons discussed previously. It doesn't happen, basically because "nobody got around to it yet". There's work in progress to move to reproducible builds in which multiple trusted developers check that the source code compiles to the binary being released, and then all sign that. Certainly a regular Win32 signature should be included as part of that process and I'm sure soon it will be.

there's no need for signing the binaries. the release announcements are pgp signed, with a hash of the binaries.

Good question! I'd imagine it's because the developers are overworked and underpaid!

I'm not sure how practical digital signatures would be in the short term, as Thawte etc will charge for them - but hopefully someone nearer the issue than me can comment.

Regarding hashes, that should be pretty easy to implement - but I'd imagine it's time that's the problem. I don't suppose you'd be able to volunteer to help out the devs with this?

I have to ask why there are no signed binaries of the Bitcoin Clients? The bitcoin client is the center of what should be a very secure system for an individual. (Unless their primary accounts are on MtGox or a similar site, in which case they have to trust ssl and MtGox.)

On Windows the binary has no digital signature on the executable. Other less important software has digital signatures (media players, games, even poker clients are signed (PartyPoker is signed with a Thawte verified certificate).

On linux, there are no hashes available of the current distribution .tar.gz. Ubuntu offers hashes of their product through a ssl encrypted page: https://help.ubuntu.com/community/UbuntuHashes

PGP signatures for communication with bitcoin developers are readily available on the bitcoin.org front page next to their email addresses. Why aren't there verifiable gpg signatures for the binary downloads also available?