walletgenerator.net, I find no way to verify the download with PGP

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: HCP on August 11, 2020, 05:32:14 PM

Walletgenerator.net... hmmm is that the one where the website was "sold" and then after it was sold there were numerous claims of scams and "already used" keys being created? Huh

Or was it another one?

No, Bitcoin Paper Wallet.com was sold and turned into a scam. Wallet Generator.net shouldn't be trusted either, for reasons mentioned by TryNinja.

Quote from: PaperWallet on August 12, 2020, 01:17:22 AM

The only one then is bitadress.org?

That's the only site I trust, but even then, I only use a version I've downloaded years ago. This way I don't have to trust they don't change something.
Still a warning though: check the URL! A typo could lead you to a phishing site.

Quote from: bob123 on August 12, 2020, 08:10:15 AM

Don't use any website to generate your paper wallet.

That works too

Quote

Your only "advantage" literally is that it looks pretty when printed.

I still have an old copy of Bitcoin Paper Wallet (currently a scam site!), and it allows to import a private key. You can even combine a split key vanity address to use 2 different random generators so you don't have to rely on just one of them being honest, then import it, and print it. It creates the same pretty print, without having to trust them. Of course, all this should happen off-line (and it was a big hassle getting my new printer to work without connecting to the internet).

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: PaperWallet on August 12, 2020, 09:06:08 AM

Ok I’ll go check official websites and what wallets they offer that generate paper wallets. Thank you I did not know wallets could give you keys offline (I’m used to Cardano.... they are really not nice in REQUIRING internet on their Daedalus wallet to generate the keys!). I’ll check bitcoin and litecoin. Do you know of any that generate paper wallets? (Or generate keys, same thing)

If you are looking to generate BTC and LTC paper wallets, why not simply use electrum and electrum-ltc ?

You can download and verify the files, then move them onto an offline PC (or boot a linux distro without any network connection) and create a wallet using electrum / electrum-ltc there.
Then write down or print (make sure the printer is not network connected) the mnemonic code and as much addresses as you want/need and (if needed) the private keys.

Additionally if you want some QR codes, there is open source software for linux available to create QR codes out of any data. So you can also easily print the QR of your address/private key.

HCP

legendary

Activity: 2086

Merit: 4314

Quote from: PaperWallet on August 12, 2020, 09:16:25 AM

But honestly how then would dash give instructions for paper wallet on their official website? They support a website to create paper wallets and not some other type of software wallet.

I'm not sure what you mean exactly... they have links to a vast variety of wallets on their website: https://www.dash.org/downloads/

Desktop wallets, mobile wallets, hardware wallets, web wallets.... and paper wallets.

For the record, their paper.dash.org paperwallet generator is forked from bitaddress.org... it's functionally almost identical as far as I can tell, it's just been modified to have Dash "branding" and output Dash addresses instead of Bitcoin addresses Tongue

PaperWallet

member

Activity: 379

Merit: 21

But honestly how then would dash give instructions for paper wallet on their official website? They support a website to create paper wallets and not some other type of software wallet.

PaperWallet

member

Activity: 379

Merit: 21

Quote from: bob123 on August 12, 2020, 08:10:15 AM

Quote from: PaperWallet on August 12, 2020, 01:17:22 AM

Seriously.... Oh gosh I love you guys. Thanks for warning me. I was about to create my wallets today.

The only one then is bitadress.org?
And there is another one for dash, but this website is on the official dash website: paper.dash.org.
But I don't have any signature on website or a SHA256 to verify. If I go to the GitHub, there's an option to download the zip file. Does that mean that from GitHub we don't have to verify signatures?

No.
Don't use any website to generate your paper wallet.

Your only "advantage" literally is that it looks pretty when printed.
Security-wise it is horrible because you 1) need to verify the source code and because 2) you are using javascript.
Javascript shouldn't be used to create cryptographic keys wherever possible.

If you want to properly generate a paper wallet, use a reputable wallet.
Just open your wallet on an offline device, write down the mnemonic and as much addresses / private keys as you want.
Way more secure than using those websites (regardless of online or offline).

Ok I’ll go check official websites and what wallets they offer that generate paper wallets. Thank you I did not know wallets could give you keys offline (I’m used to Cardano.... they are really not nice in REQUIRING internet on their Daedalus wallet to generate the keys!). I’ll check bitcoin and litecoin. Do you know of any that generate paper wallets? (Or generate keys, same thing)

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: PaperWallet on August 12, 2020, 01:17:22 AM

Seriously.... Oh gosh I love you guys. Thanks for warning me. I was about to create my wallets today.

The only one then is bitadress.org?
And there is another one for dash, but this website is on the official dash website: paper.dash.org.
But I don't have any signature on website or a SHA256 to verify. If I go to the GitHub, there's an option to download the zip file. Does that mean that from GitHub we don't have to verify signatures?

No.
Don't use any website to generate your paper wallet.

Your only "advantage" literally is that it looks pretty when printed.
Security-wise it is horrible because you 1) need to verify the source code and because 2) you are using javascript.
Javascript shouldn't be used to create cryptographic keys wherever possible.

If you want to properly generate a paper wallet, use a reputable wallet.
Just open your wallet on an offline device, write down the mnemonic and as much addresses / private keys as you want.
Way more secure than using those websites (regardless of online or offline).

nc50lc

legendary

Activity: 2394

Merit: 5531

Self-proclaimed Genius

Quote from: PaperWallet on August 12, 2020, 01:17:22 AM

-snip- Does that mean that from GitHub we don't have to verify signatures?

One of the reason to verify signatures is to confirm that the compiled /downloaded file was really built from source by the author(s)/contributor(s).
If you've downloaded from source which you should've audited since it's "open-source", then there's no point in verifying.

PaperWallet

member

Activity: 379

Merit: 21

Seriously.... Oh gosh I love you guys. Thanks for warning me. I was about to create my wallets today.

The only one then is bitadress.org?
And there is another one for dash, but this website is on the official dash website: paper.dash.org.
But I don't have any signature on website or a SHA256 to verify. If I go to the GitHub, there's an option to download the zip file. Does that mean that from GitHub we don't have to verify signatures?

pooya87

legendary

Activity: 3430

Merit: 10505

Quote from: HCP on August 11, 2020, 05:32:14 PM

Walletgenerator.net... hmmm is that the one where the website was "sold" and then after it was sold there were numerous claims of scams and "already used" keys being created? Huh

Or was it another one?

that's the one.
it was always a little shady to begin with and ever since the ownership changed (or maybe it was all fake and they are trying to hide their identity while scamming) things became a lot shadier and we started seeing scam accusations pop up.

HCP

legendary

Activity: 2086

Merit: 4314

Walletgenerator.net... hmmm is that the one where the website was "sold" and then after it was sold there were numerous claims of scams and "already used" keys being created? Huh

Or was it another one?

TryNinja

legendary

Activity: 2758

Merit: 6830

Don't use them!

They had a vulnerability that made people generate previously generated and not-so-random private-keys. And even though the github code *as far as we know* does not contain those vulnerabilities, I wouldn't risk it.

Take a look:

https://www.coindesk.com/researcher-discovers-serious-vulnerability-in-paper-crypto-wallet-website
https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Are you downloading the source code or the application? Some developers assume if it's the source code that people should be able to read and vaguely understand the code before rubbing it. This assumption might just be that they assume one person who accesses the repo will notice if something changes and be able to report it.

PaperWallet

member

Activity: 379

Merit: 21

The page takes us to the GitHub repository where we can download the zip file. Don't we need to verify signature with PGP? For bitaddress.org we have the signature, but for wallet generator.net we don't, neither did I find that for plenty of other websites, that I find trustworthy by the way since they were mentioned in popular places. But no signatures to verify their downloads.

Any idea?

Topic: walletgenerator.net, I find no way to verify the download with PGP (Read 182 times)