Pages:
Author

Topic: Old Windows 32bit Versions (Read 2023 times)

hero member
Activity: 933
Merit: 500
June 20, 2016, 04:56:38 AM
#24
Hi guys, could I also get the Win 32Bit installer?
legendary
Activity: 3766
Merit: 1364
Armory Developer
June 04, 2016, 05:44:41 PM
#23
Everyone has made excellent points here and I was myself wary of handing out that old installer that I kept (I archive the installers for every new release for the crypto wallets I keep), but I just wanted to help the OP as I was in his situation myself awhile back. https://bitcointalksearch.org/topic/m.10674668

Glad everything worked out & thanks SoraMan for verifying the installer hash and keeping my reputation intact!  Smiley

It's ok to distribute binaries as long as you attach the signed hashes file.
newbie
Activity: 7
Merit: 0
June 04, 2016, 04:47:19 PM
#22
Everyone has made excellent points here and I was myself wary of handing out that old installer that I kept (I archive the installers for every new release for the crypto wallets I keep), but I just wanted to help the OP as I was in his situation myself awhile back. https://bitcointalksearch.org/topic/m.10674668

Glad everything worked out & thanks SoraMan for verifying the installer hash and keeping my reputation intact!  Smiley
newbie
Activity: 14
Merit: 0
June 02, 2016, 05:21:41 AM
#21
So thanks to ghdp and GnuPG or really gpg4win, I was able to check the signatures. Smiley

So now for versions 0.92.3 and 0.94.1, I've checked the checksums, the signatures and the publickey fingerprint on multiple downloaded copies from Mackay, from the old and new(goatpig) githubs, these forums (for the publickey fingerprint), and the Amory website and it's archived copies at multiple timed snapshots on the site internet archive (https://archive.org/web/).

They all checked out so I think I'm good short of reading the code myself. Cheesy

Thanks again everyone for helping me on this newbie stuff. The community here is great! Cheesy
newbie
Activity: 14
Merit: 0
June 01, 2016, 10:53:08 AM
#20
Learning how to use GnuPG is not very difficult and will not be a waste of your time.

So that's the name of the program link I saw briefly before I could really sit down and fully read it. I'll look into GnuPG. Thank you for all your help ghdp and thanks everyone for that matter. Smiley
legendary
Activity: 3766
Merit: 1364
Armory Developer
June 01, 2016, 09:18:24 AM
#19
What happened to ghdp's posts? Huh I didn't get to read his last one before it disappeared. Sad I had hoped it had tips on how to check the signatures.

Looks like he chose to remove it.
newbie
Activity: 14
Merit: 0
June 01, 2016, 02:08:53 AM
#18
What happened to ghdp's posts? Huh I didn't get to read his last one before it disappeared. Sad I had hoped it had tips on how to check the signatures.
newbie
Activity: 14
Merit: 0
May 31, 2016, 10:58:36 PM
#17

You can get the hashfile of the 0.92.3 release on web.archive.org here : https://web.archive.org/web/20151018194144/https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.92.3_sha256sum.txt.asc

(Don't just follow this link, browse various revisions of the site)

Import the "right" key, download the .txt.asc, check the signature, check the checksum of the file you were sent, then you can be reasonably certain that it was once hosted on bitcoinarmory.com.


Wow this is a great site! Cheesy I need to remember it for things like this.

So I browsed around the site and got multiple hashfiles of the 0.92.3 release from different timed snapshots of the Amory website. It even had the old 0.92.3 installer so I got a few of them as well. I hashed them all, including the one Mackay sent me, and compared them to all the hashfiles. Good news they all matched! Cheesy Now I still need to check the signature (don't know how to do that on windows yet) but this is a good sign. Cheesy
newbie
Activity: 14
Merit: 0
May 31, 2016, 11:35:17 AM
#16

Quote
I feel you on that and that's why I wouldn't use it on an online pc but from my understanding let me ask something. If it only ever is on an offline pc, only in offline mode and used to only sign offline transactions, aren't the transactions made and verified by the online clean armory? Like if during the signing the outputs were changed to the attacker wouldn't the online armory see the change? Or am I missing something?

Doesn't matter what the GUI shows on both ends. If as an attacker I have access to what code runs on your signer, I could wipe your entire wallet after you've broadcasted a single tx signed with this malicious code, if I wasn't trying to be sneaky.

If I wanted to be stealthier, I'd still manage to reveal all private keys on your wallet after the one you signed with, with a single tx broadcasted to the network. An attacker with enough motivation would figure out which parts of the code base to alter to corrupt the signer in this way.

tldr: do not use binaries without signed hash, ideally build the code yourself, and best would be to review the code before using it (now that's going far I know)

I understood the possibility of a payload with the saved tx file, that's why I mentioned I wanted to use the copyable text in a QRcode or something, but I didn't think the copyable text based tx info could carry enough data for any malicious code Undecided. Interesting. By the way when I said it's working great I meant installing it and just messing with it. I haven't used it at all yet so I'm still good. Smiley 


There wouldn't be a guide for that would there? Or is that not easier than just compiling it myself? By the the number of things to install and setup in your link it would seem to me like verifying would be easier. Undecided

hash the file (sha256sum), check it matches the hash in the signed hashes file for 0.92.3. Then check that signed hashes file is signed by Alan's offline signing key. If you're not willing to go down that route, you should build from scratch.


I hashed the file, even went back and checked the newer installs, and I have the public key but I can't find the signed file with the correct hash for version 0.92.3. Cheesy LOL I'm right back to where I started Roll Eyes.
legendary
Activity: 3766
Merit: 1364
Armory Developer
May 31, 2016, 06:32:59 AM
#15
There wouldn't be a guide for that would there? Or is that not easier than just compiling it myself? By the the number of things to install and setup in your link it would seem to me like verifying would be easier. Undecided

hash the file (sha256sum), check it matches the hash in the signed hashes file for 0.92.3. Then check that signed hashes file is signed by Alan's offline signing key. If you're not willing to go down that route, you should build from scratch.

Quote
I feel you on that and that's why I wouldn't use it on an online pc but from my understanding let me ask something. If it only ever is on an offline pc, only in offline mode and used to only sign offline transactions, aren't the transactions made and verified by the online clean armory? Like if during the signing the outputs were changed to the attacker wouldn't the online armory see the change? Or am I missing something?

Doesn't matter what the GUI shows on both ends. If as an attacker I have access to what code runs on your signer, I could wipe your entire wallet after you've broadcasted a single tx signed with this malicious code, if I wasn't trying to be sneaky.

If I wanted to be stealthier, I'd still manage to reveal all private keys on your wallet after the one you signed with, with a single tx broadcasted to the network. An attacker with enough motivation would figure out which parts of the code base to alter to corrupt the signer in this way.

tldr: do not use binaries without signed hash, ideally build the code yourself, and best would be to review the code before using it (now that's going far I know)
newbie
Activity: 14
Merit: 0
May 31, 2016, 05:54:11 AM
#14
If it only ever is on an offline pc, only in offline mode and used to only sign offline transactions, aren't the transactions made and verified by the online clean armory? Like if during the signing the outputs were changed to the attacker wouldn't the online armory see the change? Or am I missing something? Undecided

We come back to the motivation factor again: it depends what an attacker could achieve while on the offline machine. If they could copy a payload to USB flash/CD-ROM to execute on the online machine, that's a problem.

That's true. But that's the same attack vector one would need to use on the online pc to reach the offline pc in the first place. Meaning that the cd or flash drive already needs to be watched and secured.

I was trying to think of an easy way to copy the text armory generates during transaction signing without a flash drive. Maybe OCR or something. Or Maybe a Qrcode might be nice here. Undecided one you can verify on your phone and can verify it is accurate to the text onscreen. Then that attack vector is closed.

Don't get me wrong I want my bitcoin to be safe that's why I'm doing the cold storage in the first place. Wink
legendary
Activity: 3430
Merit: 3080
May 31, 2016, 05:33:16 AM
#13
If it only ever is on an offline pc, only in offline mode and used to only sign offline transactions, aren't the transactions made and verified by the online clean armory? Like if during the signing the outputs were changed to the attacker wouldn't the online armory see the change? Or am I missing something? Undecided

We come back to the motivation factor again: it depends what an attacker could achieve while on the offline machine. If they could copy a payload to USB flash/CD-ROM to execute on the online machine, that's a problem.
newbie
Activity: 14
Merit: 0
May 31, 2016, 05:15:41 AM
#12
ditto what goatpig said

Think about it this way: the part of this thread where goatpig instructed you on the libraries/build arch target are exactly what a motivated thief would need to get started on trying to develop an attack resembling what happened when Mackay offered you a copy of 0.92.3.

It's the easy part, I know, but then you're left with the motivation of the attacker. "How difficult is the hard part?" is the question a well motivated attacker would ask. And I'm afraid it would be far too easy to steal at least some BTC using minimal coding ability. Someone just a little too bright and/or too fresh could steal everything you have.

I feel you on that and that's why I wouldn't use it on an online pc but from my understanding let me ask something. If it only ever is on an offline pc, only in offline mode and used to only sign offline transactions, aren't the transactions made and verified by the online clean armory? Like if during the signing the outputs were changed to the attacker wouldn't the online armory see the change? Or am I missing something? Undecided

it's already working great and it's only for offline transactions signing

Unless you verify the installer hash vs the signature files, you are taking massive risks.

There wouldn't be a guide for that would there? Or is that not easier than just compiling it myself? By the the number of things to install and setup in your link it would seem to me like verifying would be easier. Undecided
legendary
Activity: 3430
Merit: 3080
May 31, 2016, 04:59:19 AM
#11
ditto what goatpig said

Think about it this way: the part of this thread where goatpig instructed you on the libraries/build arch target are exactly what a motivated thief would need to get started on trying to develop an attack resembling what happened when Mackay offered you a copy of 0.92.3.

It's the easy part, I know, but then you're left with the motivation of the attacker. "How difficult is the hard part?" is the question a well motivated attacker would ask. And I'm afraid it would be far too easy to steal at least some BTC using minimal coding ability. Someone just a little too bright and/or too fresh could steal everything you have.
legendary
Activity: 3766
Merit: 1364
Armory Developer
May 31, 2016, 04:23:25 AM
#10
it's already working great and it's only for offline transactions signing

Unless you verify the installer hash vs the signature files, you are taking massive risks.
newbie
Activity: 14
Merit: 0
May 31, 2016, 04:05:12 AM
#9
@Mackay,

Thank you so much. It’s working great! Yeah I would think this could be a rather common occurrence. When one uses an “Old Computer or Laptop” for cold storage there is a high probability that it’s a 32bit windows. I know that XP and 32bit are separate time consuming developments to keep supporting but I wish then this installer would be kept on the github as a workaround. Especially since 0.92.3 is more than sufficient for offline transaction signing.

Well anyways thanks again! Smiley

@Goatpig

Thank you for starting to help me compile it. I know the bitcoin/armory philosophy would be to trust no one and build it from scratch but it's already working great and it's only for offline transactions signing. So I'll probably just use his installer copy since it's so much easier. Thanks again though. Smiley


Anyone else that needs it I'd be happy to send it as I'm sure Mackay would be also.
legendary
Activity: 3766
Merit: 1364
Armory Developer
May 30, 2016, 02:58:46 PM
#8
Thank you for your help. I'm installing MSVS 2015 right now (it has to download 12gb so I'll take some time) so I'm looking through the 0.92.3 repo now. I'm sorry but by cpp project do you mean cppForSwig? And if so by that link you gave do I need to unzip swig 3.0.2 into swigwin first before compiling it? If not I'm not sure which files you mean. Those are the only .cpp files I see. (sorry like I said I've never done C++ before Embarrassed).

https://github.com/goatpig/BitcoinArmory/blob/master/cppForSwig/BitcoinArmory.sln

Open this file in MSVS, make sure the swigwin root folder is in the same folder as this file.
newbie
Activity: 7
Merit: 0
May 30, 2016, 02:00:08 PM
#7
I happen to have a copy of the old 0.92.3 windows installer. What's the best way to get it to you?  Message me with your email address & I can email it.
newbie
Activity: 14
Merit: 0
May 30, 2016, 08:26:23 AM
#6
Thank you for your help. I'm installing MSVS 2015 right now (it has to download 12gb so I'll take some time) so I'm looking through the 0.92.3 repo now. I'm sorry but by cpp project do you mean cppForSwig? And if so by that link you gave do I need to unzip swig 3.0.2 into swigwin first before compiling it? If not I'm not sure which files you mean. Those are the only .cpp files I see. (sorry like I said I've never done C++ before Embarrassed).
legendary
Activity: 3766
Merit: 1364
Armory Developer
Pages:
Jump to: