BitShares Forum
Main => General Discussion => Topic started by: alphaBar on September 21, 2014, 09:41:43 pm
-
Maybe I missed it, but is there any reason why this isn't published in github release notes (or elsewhere)?
-
Added the md5 hash for windows binaries. OSX DMG should be signed by bitsha256, so no need to provide hash verification.
https://github.com/dacsunlimited/bitsharesx/releases/tag/v0.4.16
-
md5? seriously?
http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996
-
Amateur cryptographers...sigh...
First of all, MD5 is insecure. Don't use it. Just don't. For new applications, I recommend sha256 or SHA-3.
Second, the hash does no good unless you also digitally sign the hash.
Third, a signature does no good unless people can verify the key used to produce the signature belongs to a known trusted signer.
I believe the client has a command to sign a hash with the private key associated with a TITAN account. I recommend using this to sign the sha256 and sha3 of each released executable. And also the commit hash of each git tag.
I believe there is a way to actually include the signature with the tag so it can be automatically verified by git, but I think it uses GPG PKI. Getting our own TITAN PKI to integrate with Git in a similar way would be a good bounty idea if there are any Git experts lurking in this forum.
-
Amateur cryptographers...sigh...
First of all, MD5 is insecure. Don't use it. Just don't. For new applications, I recommend sha256 or SHA-3.
Second, the hash does no good unless you also digitally sign the hash.
Third, a signature does no good unless people can verify the key used to produce the signature belongs to a known trusted signer.
I believe the client has a command to sign a hash with the private key associated with a TITAN account. I recommend using this to sign the sha256 and sha3 of each released executable. And also the commit hash of each git tag.
I believe there is a way to actually include the signature with the tag so it can be automatically verified by git, but I think it uses GPG PKI. Getting our own TITAN PKI to integrate with Git in a similar way would be a good bounty idea if there are any Git experts lurking in this forum.
Mayby you guys should have a BitShares PGP Pubkey signing party over in Vegas .. so you can at least verify name<->key relations!! pls