unencrypted, unverifiable downloads from bitcoin.org #2388

issue bradfitz opened this issue on March 20, 2013
  1. bradfitz commented at 12:52 AM on March 20, 2013: none

    It's too difficult to verify that the Bitcoin downloads aren't MITMed.

    bitcoin.org is http, not https, and prominently links to a bunch of http downloads.

    sourceforge is http only and while it has a SHASUMS.asc file, that is also served over http.

    I can get the bitcoin source from github using ssh or https, but:

    $ git grep 94761c70572b8ede8721524bb0317ede2d3723ce | wc -l 0

    I can't see the SHA1 sums of previous releases in the git repo anywhere. (which one http file says is the hash of bitcoin-0.8.1-linux.tar.gz)

    bitcoin.org should also say how to verify downloads.

  2. gmaxwell commented at 12:55 AM on March 20, 2013: contributor

    The sha1sums file is cryptographically signed. HTTPS does not provide strong protection, you'd want to check the signatures in any case. There is even a script included with Bitcoin to check the signatures on the site.

  3. bradfitz commented at 1:03 AM on March 20, 2013: none

    echo "gpg error. Do you have Gavin's code signing key installed?"

    Okay, contrib/verifysfbinaries/verify.sh is nice. But where do I securely find "Gavin"'s signing key?

    I see http://bitcoin.org/gavinandresen.asc but what's the expected digest of that file?

    Couldn't the script slurp that and check its digest, or at least tell me what to expect?

  4. bradfitz commented at 1:10 AM on March 20, 2013: none

    Okay, I've found https://github.com/bitcoin/bitcoin.org/blob/master/gavinandresen.asc

    Consider this bug a documentation/linkage request.

  5. laanwj commented at 12:25 PM on January 10, 2014: member

    The downloads are verifiable using the GPG-signed signatures, closing.

  6. laanwj closed this on Jan 10, 2014

  7. DrahtBot locked this on Sep 8, 2021

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-22 06:16 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me