Author [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: No hash verification of Bitsharesx binaries?  (Read 281 times)

0 Members and 1 Guest are viewing this topic.

Offline alphaBar

  • Sr. Member
  • ****
  • Posts: 322
    • View Profile
No hash verification of Bitsharesx binaries?
« on: September 21, 2014, 09:41:43 PM »

Maybe I missed it, but is there any reason why this isn't published in github release notes (or elsewhere)?

Offline DACSunlimited

  • Full Member
  • ***
  • Posts: 136
    • View Profile
Re: No hash verification of Bitsharesx binaries?
« Reply #1 on: September 22, 2014, 04:49:21 PM »
Added the md5 hash for windows binaries. OSX DMG should be signed by bitsha256, so no need to provide hash verification.

https://github.com/dacsunlimited/bitsharesx/releases/tag/v0.4.16

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12280
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline theoretical

Re: No hash verification of Bitsharesx binaries?
« Reply #3 on: September 22, 2014, 07:05:17 PM »
Amateur cryptographers...sigh...

First of all, MD5 is insecure.  Don't use it.  Just don't.  For new applications, I recommend sha256 or SHA-3.

Second, the hash does no good unless you also digitally sign the hash.

Third, a signature does no good unless people can verify the key used to produce the signature belongs to a known trusted signer.

I believe the client has a command to sign a hash with the private key associated with a TITAN account.  I recommend using this to sign the sha256 and sha3 of each released executable.  And also the commit hash of each git tag.

I believe there is a way to actually include the signature with the tag so it can be automatically verified by git, but I think it uses GPG PKI.  Getting our own TITAN PKI to integrate with Git in a similar way would be a good bounty idea if there are any Git experts lurking in this forum.
BTS- theoretical / PTS- PZxpdC8RqWsdU3pVJeobZY7JFKVPfNpy5z / BTC- 1NfGejohzoVGffAD1CnCRgo9vApjCU2viY / the delegate formerly known as drltc / Nothing said on these forums is intended to be legally binding / All opinions are my own unless otherwise noted / Take action due to my posts at your own risk

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12280
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: No hash verification of Bitsharesx binaries?
« Reply #4 on: September 22, 2014, 07:10:27 PM »
Amateur cryptographers...sigh...

First of all, MD5 is insecure.  Don't use it.  Just don't.  For new applications, I recommend sha256 or SHA-3.

Second, the hash does no good unless you also digitally sign the hash.

Third, a signature does no good unless people can verify the key used to produce the signature belongs to a known trusted signer.

I believe the client has a command to sign a hash with the private key associated with a TITAN account.  I recommend using this to sign the sha256 and sha3 of each released executable.  And also the commit hash of each git tag.

I believe there is a way to actually include the signature with the tag so it can be automatically verified by git, but I think it uses GPG PKI.  Getting our own TITAN PKI to integrate with Git in a similar way would be a good bounty idea if there are any Git experts lurking in this forum.

Mayby you guys should have a BitShares PGP Pubkey signing party over in Vegas .. so you can at least verify name<->key relations!! pls
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

 

Google+