How Do I Verify the Integrity of Open-Source Code

yhiaali3

legendary

Activity: 1848

Merit: 1982

Payment Gateway Allows Recurring Payments

Quote from: panganib999 on September 17, 2023, 06:19:02 PM

I don't think it's really that important, I'd argue that if you're going to buy a wallet with codebase that could easily be edited it's much better to just buy a wallet from a provider or use your hard disk instead. Cause you're putting yourself at a bigger risk of losing your money to bad actors and hackers. Plus when it comes to "open-source" you can't really do much to verify it besides take the developer's word for it. There's no way for the consumer to confirm whether a program is an open-source until they actually work upon said program.

Don't worry about the trivial details anymore, just make sure you buy a self-custodial wallet and for the most part of your crypto journey, that's going to be enough.

These are not trivial details, on the contrary they are extremely important, this relates directly to the security of your assets and any small mistake can cost you the loss of all your crypto assets.

Buying a self-custodial wallet is not enough. If you mean hard wallets, they also have programs, some of which are closed source and some of which are open source. As for closed source wallets like Ledger, they cannot be trusted, especially after it became clear that the company has access to the seed.

As for wallets that use open source software such as Trezor, we return to the same problem, which is how to make sure that we are downloading the correct software and not the wrong one, because if you download the wrong software, you will lose all your assets.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: BlackHatCoiner on September 17, 2023, 02:25:48 PM

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

I consider my self a skeptic to a degree and I know that there is always the possibility that these companies could post the open source code online but run a different code on your device.

When software is said to be open-source, it means you can verify this yourself. All you need to do is download the repository, and follow the instructions, which more or less go as following:

Step 0: Have a compiler (i.e., gcc).
Step 1: Install some libraries (the instructions will give you the precise command to enter in terminal).
Step 2: Compile. Probably with some Makefile, which is essentially an automated way to build the program.
Step 3: Verify the binaries' checksum (as you would in any case).

This way you can verify that the binaries the company has in their main page are indeed not altered.

That only works if the project is written in C or Cpp. Most projects have an installation section with step-by-step instructions on how to build stuff written in other languages.

Also you forgot an important step - use Git to checkout the tag containing the version number. If you don't do this the checksums are going to be different at the end because more code was changed meanwhile.

Medusah

sr. member

Activity: 364

Merit: 298

Quote from: hatshepsut93 on September 17, 2023, 06:16:23 PM

No it's not. The general advice is that closed source wallets are bad, but this doesn't make all open source good. If you can't review the wallet code yourself, if no one that you trust has reviewed it, then it's not too different from a closed source. Like, there's less chance that someone would put backdoors into an open source wallet, because it's possible to spot it, but this doesn't mean that no one will try such thing.

They definitely try those things: https://security.stackexchange.com/questions/23334/example-of-a-backdoor-submitted-to-an-open-source-project

It just happens to be big projects. Fortunately, it's expert developers that work on these projects and spot them. This linux backdoor attempt back in 2003 was difficult to spot: https://freedom-to-tinker.com/2003/11/12/linux-backdoor-attempt-thwarted/. The attacker's added code was this:

Code:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
        retval = -EINVAL;
]

If you're a C programmer you can spot it easier than a regular programmer.

Answer:
current->uid = 0 assigns value 0 to current->uid and then returns 0 to the condition, which means the condition is always false and current->uid value is always set to 0. You would expect current->uid == 0 instead.

Today, that would be even easier to spot with things like Visual Studio Code.

panganib999

hero member

Activity: 1750

Merit: 589

I don't think it's really that important, I'd argue that if you're going to buy a wallet with codebase that could easily be edited it's much better to just buy a wallet from a provider or use your hard disk instead. Cause you're putting yourself at a bigger risk of losing your money to bad actors and hackers. Plus when it comes to "open-source" you can't really do much to verify it besides take the developer's word for it. There's no way for the consumer to confirm whether a program is an open-source until they actually work upon said program.

Don't worry about the trivial details anymore, just make sure you buy a self-custodial wallet and for the most part of your crypto journey, that's going to be enough.

hatshepsut93

legendary

Activity: 3038

Merit: 2162

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

The general advice is the a Bitcoin tool such as a wallet is okay to use if it is open-source.

No it's not. The general advice is that closed source wallets are bad, but this doesn't make all open source good. If you can't review the wallet code yourself, if no one that you trust has reviewed it, then it's not too different from a closed source. Like, there's less chance that someone would put backdoors into an open source wallet, because it's possible to spot it, but this doesn't mean that no one will try such thing.

franky1

legendary

Activity: 4424

Merit: 4794

when code is available on things like github. people (who dont have to be developers) can compile their own .exe file from that source code(easy tutorials are available)

they can also then look at the file hash of the compiled file to see it if matches file hashes of other already compiled .exe files attributed as the same version. and if it matches they can submit a comment that they too have matched the sourcecode to the .exe and the hashes match, thus one level of independently verifying the code matches the file and give independent opinion to other users that the promoted exe is legit too

i say this because:
sometimes there are 'open source' projects that are wrote by small groups. compiled by the same group and promoted by the same group. with no independent outside review/check thus people end up blindly trusting a small centralized group

the whole point is not just that the source code is open to view. but also that it should be independently reviewed at code level and independently validated at compile level

another level of integrity of open source is not just that its openly readable. but also that making improvements to it should not be closed off

Upgrade00

legendary

Activity: 2254

Merit: 2406

Playgram - The Telegram Casino

Quote from: m2017 on September 17, 2023, 12:28:56 PM

So how can someone like me, who are the majority, check the source code and make sure that it is the right source code and not a fake? In general, I support OP’s questions.

I think it's down to having the option. If the code source is closed then no one can check what's going no regardless of the skills you possess. If it's open source the devs are aware that what they do is publicly available and there will at least be a couple of their usersbt verify that.

The question does not negate the need to use open source but just shows that not everyone can effectively utilize the feature.

Medusah

sr. member

Activity: 364

Merit: 298

Quote from: JunaidAzizi on September 17, 2023, 02:35:31 PM

The second one is a signature tool that verifies the integrity of open-source code. A signature tool can generate a digital signature for a piece of software. this digital signature can then be used to verify that the software has not been tampered with.

Digital signatures are used to verify that the binaries were not tampered during file transfer, but not that the source code shown corresponds to the binaries. To verify that, you download the source code and build it yourself. And then check for digital signature.

Hamza2424

legendary

Activity: 966

Merit: 1042

#SWGT CERTIK Audited

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

The general advice is the a Bitcoin tool such as a wallet is okay to use if it is open-source. Aside this there are crypto companies that post their open source code online. I consider my self a skeptic to a degree and I know that there is always the possibility that these companies could post the open source code online but run a different code on your device. There's also another possibility that it could be tampered with during transit.Is there anyway that I can verify the integrity of open-source code and ensure that the code running on your device matches the published code?

OP is to be mentioned first I think, this topic fits In technical discussion more effectively, Besides that IMO, as your concerns are legit by participation in the community discussion where people are likely using it, you can get engaged to authenticate the integrity as if anything wrong happens someone will post about it and you can get a pre-alert as well.

Secondly, I think tampered with during transit can be authenticated with digital signatures and most of the time it works well. Compiling the code by yourself and other ways may not be helpful for a day-to-day user who is not familiar with such things., so as above I had mentioned by reading the feedback and reviews, he can judge. Anyway, that was I nice topic for today's list haha I can read others and obtain some good insights as well.

JunaidAzizi

sr. member

Activity: 728

Merit: 300

Love Bitcoin🖤

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

The general advice is the a Bitcoin tool such as a wallet is okay to use if it is open-source. Aside this there are crypto companies that post their open source code online. I consider my self a skeptic to a degree and I know that there is always the possibility that these companies could post the open source code online but run a different code on your device. There's also another possibility that it could be tampered with during transit.Is there anyway that I can verify the integrity of open-source code and ensure that the code running on your device matches the published code?

It is possible to verify the integrity of open source code that is running on your device is the same as the published. there are two ways through which it can be verified. The one is to compile the code yourself. This involves the compiler converting the source code into machine code that can be executed by your computer, If you are able to compile the code successfully then you are confident that the code is authentic. The second one is a signature tool that verifies the integrity of open-source code. A signature tool can generate a digital signature for a piece of software. this digital signature can then be used to verify that the software has not been tampered with.

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

I consider my self a skeptic to a degree and I know that there is always the possibility that these companies could post the open source code online but run a different code on your device.

When software is said to be open-source, it means you can verify this yourself. All you need to do is download the repository, and follow the instructions, which more or less go as following:

Step 0: Have a compiler (i.e., gcc).
Step 1: Install some libraries (the instructions will give you the precise command to enter in terminal).
Step 2: Compile. Probably with some Makefile, which is essentially an automated way to build the program.
Step 3: Verify the binaries' checksum (as you would in any case).

This way you can verify that the binaries the company has in their main page are indeed not altered.

OgNasty

donator

Activity: 4760

Merit: 4323

Leading Crypto Sports Betting & Casino Platform

As others have already said you can use a checksum to verify the authenticity of a file. The best way is always to obtain the source code from the official trusted source and build it yourself though. It’s not even a very difficult task, you just need to get in the habit of doing it. I myself usually don’t go through the extra steps out of laziness, but it doesn’t take a lot of time or effort so it’s a good habit to get into.

vv181

legendary

Activity: 1932

Merit: 1273

Quote from: m2017 on September 17, 2023, 12:28:56 PM

Also, it always seemed strange to me that if the source code is open, then someone necessarily checks this code. What if everyone hopes that the other will do it and in the end no one checks?

Do people have nothing better to do than check the source code of every application? In this case, I am ready to trust completely only myself, but I don't have the skills to independently check the source code of applications. So how can someone like me, who are the majority, check the source code and make sure that it is the right source code and not a fake? In general, I support OP’s questions.

The motivation of others to check an open source project is because they simply use or build something from the particular project, in consequence, they are encouraged to eventually check the code. Furthermore, the question arises about what if there isn't anyone even checking the code is a valid one, hence, open source does not mean it would be automatically secure and trusted. It is still necessary to use a project that has gained trust within the open source community, so there are many eyes that scrutinise the project in case something goes wrong. It also helps to those who can not manually check and comprehend the code by themselves.

m2017

legendary

Activity: 1792

Merit: 1296

Playbet.io - Crypto Casino and Sportsbook

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

The general advice is the a Bitcoin tool such as a wallet is okay to use if it is open-source. Aside this there are crypto companies that post their open source code online. I consider my self a skeptic to a degree and I know that there is always the possibility that these companies could post the open source code online but run a different code on your device. There's also another possibility that it could be tampered with during transit.Is there anyway that I can verify the integrity of open-source code and ensure that the code running on your device matches the published code?

I, too, have always had similar skepticism about open source applications, which for some reason everyone perceives as a panacea for possible backdoors from a wallet provider. I also have doubts that a cryptocompany may provide completely different source code for testing on specialized resources, such as github. Also, it always seemed strange to me that if the source code is open, then someone necessarily checks this code. What if everyone hopes that the other will do it and in the end no one checks?

Do people have nothing better to do than check the source code of every application? In this case, I am ready to trust completely only myself, but I don't have the skills to independently check the source code of applications. So how can someone like me, who are the majority, check the source code and make sure that it is the right source code and not a fake? In general, I support OP’s questions.

_act_

legendary

Activity: 1064

Merit: 1298

Lightning network is good with small amount of BTC

Quote from: Faisal2202 on September 17, 2023, 09:47:28 AM

I think you can solve this skepticism by comparing the GPG code (signature code which is used to verify that the code is not tampered with) or hashes. I hope you can do that. Otherwise you simply have to find the resource code of the product you are using and then can compare that code with the code which the publishers have published. You should take some products as an example.

You are getting it wrongly. GPG or PGP or anything that we call a way to verify that we downloaded the right app and not the fake one is not a way to know that a software is open source or close source. Assuming I downloaded Electrum and verify its signature, I will know that Electrum site has not been compromised and that the wallet I downloaded from the Electrum site is from the Electrum developer. If Electrum site is compromised and the hacker that compromised it changed the original Electrum app to fake apps, I will be able to know that it is fake if the PGP signature fails.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: BitMaxz on September 17, 2023, 08:31:30 AM

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

Is there anyway that I can verify the integrity of open-source code and ensure that the code running on your device matches the published code?

Most of the open source have public GPG keys, checksums, and signatures you can verify their integrity by verifying these. Sample Electrum if you download it from GitHub or their website it also provides a GPG signature you can verify it by using the GPG tool.

Technically the thing you are verifying using GPG signatures is the authenticity of the binary or in simple terms you make sure that the binary is released by the person who owns that key. It does NOT tell you whether the binary has anything to do with the open source code you saw on the GitHub.

In order to know whether the binary is actually built from the source code you saw, the project has to support what's called "deterministic builds"[1]. This means no matter who compiles the code and where, they should all get the same exact binaries. That way different people could verify that the binary is indeed built from the source code we see by simply comparing the checksums.
Electrum supports deterministic builds by the way.

[1] https://en.wikipedia.org/wiki/Reproducible_builds

Faisal2202

hero member

Activity: 1428

Merit: 513

Payment Gateway Allows Recurring Payments

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

The general advice is the a Bitcoin tool such as a wallet is okay to use if it is open-source. Aside this there are crypto companies that post their open source code online. I consider my self a skeptic to a degree and I know that there is always the possibility that these companies could post the open source code online but run a different code on your device. There's also another possibility that it could be tampered with during transit.Is there anyway that I can verify the integrity of open-source code and ensure that the code running on your device matches the published code?

I think you can solve this skepticism by comparing the GPG code (signature code which is used to verify that the code is not tampered with) or hashes. I hope you can do that. Otherwise you simply have to find the resource code of the product you are using and then can compare that code with the code which the publishers have published. You should take some products as an example.

Z-tight

legendary

Activity: 994

Merit: 1089

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

The general advice is the a Bitcoin tool such as a wallet is okay to use if it is open-source.

Open source code or software is recommended, but it doesn't mean they are safe by default, it means that the code can be reviewed, while bugs and attacks can be found easily and quicker. If it is a source code that has been reviewed by a lot of developers in the community, you can tick it as safe.

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

companies could post the open source code online but run a different code on your device.

If you have downloaded the original software and not a malicious one, and you've also verified your download; then you can be sure you are running the original software. If it is a well reviewed software, then if anything is slipped into its code in any of its new update, it will be easily identified and users will be warned not to make the update locally on their device.

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

there anyway that I can verify the integrity of open-source code and ensure that the code running on your device matches the published code?

The only way is by verifying it, if you don't have the skill to do it, then use software that is well reviewed and recommended by the community.

BitMaxz

legendary

Activity: 3472

Merit: 3217

Playbet.io - Crypto Casino and Sportsbook

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

Is there anyway that I can verify the integrity of open-source code and ensure that the code running on your device matches the published code?

Most of the open source have public GPG keys, checksums, and signatures you can verify their integrity by verifying these. Sample Electrum if you download it from GitHub or their website it also provides a GPG signature you can verify it by using the GPG tool.

Other open-source codes also provide checksum files you will need a checksum tool to verify its authenticity there are some guides out there on how to verify checksum or check this link below.

- https://codesigningstore.com/how-to-check-file-checksum

Another thing is you can directly build it from the source if you don't trust the file that you downloaded or installed.

SquirrelJulietGarden

hero member

Activity: 1442

Merit: 775

Quote from: mvdheuvel1983 on September 17, 2023, 08:03:52 AM

I consider my self a skeptic to a degree and I know that there is always the possibility that these companies could post the open source code online but run a different code on your device. There's also another possibility that it could be tampered with during transit.Is there anyway that I can verify the integrity of open-source code and ensure that the code running on your device matches the published code?

You have to be a professional coder to be able to verify source code of Bitcoin wallet software.

If you are like me, you have to rely on reviews from community including professional coders, Bitcoin developers on wallet softwares. You can use websites like https://walletscrutiny.com/ that is from a professional Bitcoin developer.

Or some review websites like https://www.cryptowisser.com/wallets/

Topic: How Do I Verify the Integrity of Open-Source Code (Read 249 times)