Author

Topic: Having problems verifying bitcoin download with GPG4Win (Read 4574 times)

legendary
Activity: 1764
Merit: 1002
There are many other tools available, one example is SFVNinja

thanks.  actually HashCalc worked just fine.
legendary
Activity: 1092
Merit: 1016
760930
There are many other tools available, one example is SFVNinja
legendary
Activity: 1764
Merit: 1002
Umm... that's how I do it, only with command line programs:

First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself:
Code:
gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc

When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <[email protected]>") you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:
Code:
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32  bitcoin-0.5.3.1-win32-setup.exe
What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.

Now let's calculate the checksum of the actual installer:
Code:
sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32

Done.

HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.


jake, do i need to install HashCalc to check the hash of the bitcoin-0.7.0-win32-setup.exe installer on my Win 7 machine?  i noticed that the link only says its good up to Win XP? 
full member
Activity: 210
Merit: 100
Those warnings basically say
"Hey dude, Gavin says this file here is his public key but no trusted Certificate Authority is backing up the validity of this claim.
Tell Gavin to pony up some big bucks and make Verisign, Thawte, Comodo, Equifax, Hongkong Post, TurkTrust
(1), or DigiNotar(2) happy."


If a hacker were able to breach bitcoin.org's server and replace Gavin's public key and they were then able to breach the SourceForge repositories and replace the files with malicious ones, anyone validating the bad executables with the bad public key could be cheated into thinking that everything is fine.
In short, if a hacker gets full control over everything, we're screwed - film at 11.

For the record, the fingerprint of Gavin's public key is indeed 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1



Notes
(1) You may not have known but your system trusts hundreds of entities. From its POV Hongkong Post is just as trustworthy as Verisign. Better believe someone in Hongkong did their due dilligence when signing those SSL certificates.
(2) I put DigiNotar in as a joke; this CA fell victim to a hacker attack last year. As a result, they went keel up and sank.
     The SSL certificates the hackers were able to generate were inherently trusted by any machine in the world. So much for trusted CAs.
     You better believe TurkTrust and Hongkong Post really know what they are doing Grin
     There have been several initiatives to mitigate the flaws in the current trusted CA model.
legendary
Activity: 1304
Merit: 1015
Here's what I did:

C:\>gpg --verify SHA256SUMS.asc
gpg: Signature made 03/16/12 13:01:01 Pacific Daylight Time using RSA key ID 1FC
730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) .com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2664 6D99 CBAE C9B8 1982  EF60 29D9 EE6B 1FC7 30C1



Should I be worried about the warnings?  BTW, I did a sha256sum and it matches the one in the SHA256SUMS.asc file.  It is just the warning above that bugs me.  I also imported gavin's PGP and it imported ok.

I did some googling and found this: http://lists.gnupg.org/pipermail/gnupg-users/2009-March/035981.html

Says I need to do a "web-of-trust by doing some keysigning" of some sort.

Edit: Did some more googling.  Says, "The best method is to meet the developer in person and exchange key fingerprints."  Gavin, you want to meet up?  Ideas anybody?
full member
Activity: 210
Merit: 100
You already installed both of them by installing GPG4Win.
The default installation directory for Gpg4Win is C:\Program Files (x86)\GNU\GnuPG  (on 64-bit systems) or C:\Program Files\GNU\GnuPG  (32-bit systems)

If you cd to the installation directory both gpg.exe and sha25sum.exe will be in scope:
Code:
cd \Program Files (x86)\GNU\GnuPG
The last line is no mistake, you can use the backslash to denote the root directory of the currently chosen partition making the obnoxious c: drive letter redundant.

I recommend that you add c:\Program Files (x86)\GNU\GnuPG to your path so that sha256sum is always in scope.
legendary
Activity: 1304
Merit: 1015
Where do you get these command line programs for windows?

Umm... that's how I do it, only with command line programs:

First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself:
Code:
gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc

When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <[email protected]>") you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:
Code:
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32  bitcoin-0.5.3.1-win32-setup.exe
What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.

Now let's calculate the checksum of the actual installer:
Code:
sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32

Done.

HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.

full member
Activity: 210
Merit: 100
Umm... that's how I do it, only with command line programs:

First of all, it's the SHA256SUMS.asc file that needs to be verified, not the executable itself:
Code:
gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc

When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <[email protected]>") you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:
Code:
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32  bitcoin-0.5.3.1-win32-setup.exe
What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.

Now let's calculate the checksum of the actual installer:
Code:
sha256sum c:\wherever\bitcoin-0.5.3.1-win32-setup.exe
6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32

Done.

HashCalc is a great and free GUI tool you can use to calculate pretty much any checksum you need.
legendary
Activity: 1304
Merit: 1015
I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')...
What am I doing wrong?
At the very least you need to import gavin's public key as well - the keys you might be interested in are neatly listed on bitcoin.org

So I installed all of the GPG .asc certificates on the bitcoin.org homepage (Gavin's and others) into Kleopatra.  I repeated the steps:

Select "Decrypt and Verify".
Select the bitcoin file "bitcoin-0.5.3.1-win32-setup.exe".

I get the same  message: "No signatures found."

I will try downloading and installing OpenSSL and see where it gets me.  Thanks for the advice so far.
full member
Activity: 210
Merit: 100
I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')...
What am I doing wrong?
At the very least you need to import gavin's public key as well - the keys you might be interested in are neatly listed on bitcoin.org
pc
sr. member
Activity: 253
Merit: 250
This whole thing is definitely unintuitive. I'm not familiar with those GPG clients, but I may be able to help point you in the right direction. The SHA256SUMS.asc file isn't a detached signature, it's a plaintext file with a signature included, much like might be on an email. Does your software offer a plain "verify" feature?

Once you've verified that SHA256SUMS.asc is genuinely signed, then you can look in it to see that bitcoin-0.5.3.1-win32-setup.exe has a SHA-256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32. So now, you just need to make sure that your file in fact has that checksum.

I'm on a Mac, and the command I'd use for it here is "openssl dgst -sha256 bitcoin-0.5.3.1-win32-setup.exe". Openssl is cross-platform, but probably isn't installed on Windows by default. I don't know if there's something else likely already installed, or if your GPG software also has a way to find the SHA-256 of a file somewhere in there.

Hope this helps.
legendary
Activity: 1304
Merit: 1015
I read this here to get started:  http://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securely

Quote
Jeff Garzik signs every release with his GPG key (also here). You can find release announcements (such as this one) on the SourceForge.net Bitcoin development list.

To verify the signature on a release, obtain the key from the link above. Obtain the release announcement from the link above. Obtain the download from any source. Then point GPG at the release annoucement (or the signature block from it, including the BEGIN and END lines). GPG will ask what file you want to verify, pick any of the ones listed in the signature certificate. It will then tell you if the release is identical to the release Jeff Garzik signed.

I downloaded GPG4Win and Kleopatra.  I install Jeff Garzik GPG key into Kleopatra. (Finger print looks ok '60B0 0235 B335 5D84 BF2A 4E35 DA1D C20F 2DBF 0CA8')

I download this file "SHA256SUMS.asc" located here: http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.5.3/

I right click "SHA256SUMS.asc", then select "Decrypt and Verify".  I select the bitcoin file "bitcoin-0.5.3.1-win32-setup.exe".

I get this message: "No signatures found."

What am I doing wrong?
Jump to: