Author Topic: No hash verification of Bitsharesx binaries?  (Read 1361 times)

0 Members and 1 Guest are viewing this topic.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Amateur cryptographers...sigh...

First of all, MD5 is insecure.  Don't use it.  Just don't.  For new applications, I recommend sha256 or SHA-3.

Second, the hash does no good unless you also digitally sign the hash.

Third, a signature does no good unless people can verify the key used to produce the signature belongs to a known trusted signer.

I believe the client has a command to sign a hash with the private key associated with a TITAN account.  I recommend using this to sign the sha256 and sha3 of each released executable.  And also the commit hash of each git tag.

I believe there is a way to actually include the signature with the tag so it can be automatically verified by git, but I think it uses GPG PKI.  Getting our own TITAN PKI to integrate with Git in a similar way would be a good bounty idea if there are any Git experts lurking in this forum.

Mayby you guys should have a BitShares PGP Pubkey signing party over in Vegas .. so you can at least verify name<->key relations!! pls

Offline theoretical

Amateur cryptographers...sigh...

First of all, MD5 is insecure.  Don't use it.  Just don't.  For new applications, I recommend sha256 or SHA-3.

Second, the hash does no good unless you also digitally sign the hash.

Third, a signature does no good unless people can verify the key used to produce the signature belongs to a known trusted signer.

I believe the client has a command to sign a hash with the private key associated with a TITAN account.  I recommend using this to sign the sha256 and sha3 of each released executable.  And also the commit hash of each git tag.

I believe there is a way to actually include the signature with the tag so it can be automatically verified by git, but I think it uses GPG PKI.  Getting our own TITAN PKI to integrate with Git in a similar way would be a good bounty idea if there are any Git experts lurking in this forum.
BTS- theoretical / PTS- PZxpdC8RqWsdU3pVJeobZY7JFKVPfNpy5z / BTC- 1NfGejohzoVGffAD1CnCRgo9vApjCU2viY / the delegate formerly known as drltc / Nothing said on these forums is intended to be legally binding / All opinions are my own unless otherwise noted / Take action due to my posts at your own risk


Offline DACSunlimited

  • Full Member
  • ***
  • Posts: 136
    • View Profile
Added the md5 hash for windows binaries. OSX DMG should be signed by bitsha256, so no need to provide hash verification.

https://github.com/dacsunlimited/bitsharesx/releases/tag/v0.4.16

Offline alphaBar

  • Sr. Member
  • ****
  • Posts: 321
    • View Profile
Maybe I missed it, but is there any reason why this isn't published in github release notes (or elsewhere)?