BitShares Forum

Main => General Discussion => Topic started by: alphaBar on September 21, 2014, 09:41:43 pm

Title: No hash verification of Bitsharesx binaries?
Post by: alphaBar on September 21, 2014, 09:41:43 pm

Maybe I missed it, but is there any reason why this isn't published in github release notes (or elsewhere)?

Title: Re: No hash verification of Bitsharesx binaries?
Post by: DACSunlimited on September 22, 2014, 04:49:21 pm

Added the md5 hash for windows binaries. OSX DMG should be signed by bitsha256, so no need to provide hash verification.

https://github.com/dacsunlimited/bitsharesx/releases/tag/v0.4.16

Title: Re: No hash verification of Bitsharesx binaries?
Post by: xeroc on September 22, 2014, 05:30:22 pm

md5? seriously?
http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996

Title: Re: No hash verification of Bitsharesx binaries?
Post by: theoretical on September 22, 2014, 07:05:17 pm

Amateur cryptographers...sigh...

First of all, MD5 is insecure.  Don't use it.  Just don't.  For new applications, I recommend sha256 or SHA-3.

Second, the hash does no good unless you also digitally sign the hash.

Third, a signature does no good unless people can verify the key used to produce the signature belongs to a known trusted signer.

I believe the client has a command to sign a hash with the private key associated with a TITAN account.  I recommend using this to sign the sha256 and sha3 of each released executable.  And also the commit hash of each git tag.

I believe there is a way to actually include the signature with the tag so it can be automatically verified by git, but I think it uses GPG PKI.  Getting our own TITAN PKI to integrate with Git in a similar way would be a good bounty idea if there are any Git experts lurking in this forum.

Title: Re: No hash verification of Bitsharesx binaries?
Post by: xeroc on September 22, 2014, 07:10:27 pm

Quote from: drltc on September 22, 2014, 07:05:17 pm

Amateur cryptographers...sigh...

First of all, MD5 is insecure.  Don't use it.  Just don't.  For new applications, I recommend sha256 or SHA-3.

Second, the hash does no good unless you also digitally sign the hash.

Third, a signature does no good unless people can verify the key used to produce the signature belongs to a known trusted signer.

I believe the client has a command to sign a hash with the private key associated with a TITAN account.  I recommend using this to sign the sha256 and sha3 of each released executable.  And also the commit hash of each git tag.

I believe there is a way to actually include the signature with the tag so it can be automatically verified by git, but I think it uses GPG PKI.  Getting our own TITAN PKI to integrate with Git in a similar way would be a good bounty idea if there are any Git experts lurking in this forum.

Mayby you guys should have a BitShares PGP Pubkey signing party over in Vegas .. so you can at least verify name<->key relations!! pls