Author

Topic: Wallets and PGP verification query (Read 191 times)

full member
Activity: 210
Merit: 119
April 04, 2019, 10:47:32 AM
#3
I was an early PGP adopter back in the 1990s and used it on a daily basis for 20 or so years. But PGP has always largely been a tool (and toy) for infosec pros and other geeks. Safely using PGP requires a fair amount of knowledge in the first place, and verifying keys, assigning trust etc. is time-consuming. That’s why most apps use the CA-based code signing facilities built into commercial operating systems. Considering that Bitcoin and other crypto currencies are being marketed to the general public, I’m surprised that not all wallets do that. It’s not a perfect solution, but it’s better than nothing.
legendary
Activity: 3472
Merit: 10611
April 03, 2019, 10:47:37 PM
#2
i suggest you read up on what web of trust means. WOT is what you use in PGP and it is a "web" that you form based on only keys that YOU trust. but with code-signing you will not do that but instead rely on a certificate authority. and in that case the signature verification does not tell you whether the application you just ran comes from the developers you want, it just shows you that the application was signed with a private key that this centralized server has.

and that still wouldn't solve the problem you just mentioned. the users can still be tricked into running an unsigned code.

and if i am not mistaken to do code-signing you have to buy certificates from Microsoft for example for windows. and they have expiration dates!
full member
Activity: 168
Merit: 214
WhoTookMyCrypto.com
April 03, 2019, 10:19:48 AM
#1
Posted this in another thread but didn't get a response so creating a separate topic for it.

Context: In response to a Wasabi wallet scam, verifying PGP signatures was pointed out as a solution. However, someone (nc50lc) highlighted that users were too lazy to verify PGP signatures for their wallet downloads. They preferred a download-install-open method.

Went to do some digging and found this.

Source: https://securityboulevard.com/2018/11/10-rules-for-the-secure-use-of-cryptocurrency-hardware-wallets/
Quote
Users of cryptocurrency software should demand reproducible builds and code-signed executables to prevent tampering by an attacker post-installation. The advantage of code-signing, relative to manual verification with a tool like GPG, is that code signatures are automatically verified by the operating system on every launch of the application, whereas manual verification is typically only performed once, if at all. Even verifiable software, though, can still be subverted at runtime. Recognize that general-purpose computing devices are exposed to potentially risky data from untrusted sources on a routine basis.

Can someone explain:

(1) Why don't these wallets implement the code-signing mechanism mentioned above? If the OS can automatically verify the program at launch each time, isn't this a solution to having users verifying PGP by themselves?

(2) Is it right to say that if the wasabi wallet had the code-signing mechanism implemented, it would have been easier for users to perform the verification as they can easily view the properties of the file to see who the digital signatures belong to (like in this example: https://www.sslsupportdesk.com/how-to-verify-a-digital-code-signing-signature-in-windows/)

Thanks.
Jump to: