unencrypted, unverifiable downloads from bitcoin.org #2388

issue bradfitz opened this issue on March 20, 2013

bradfitz commented at 12:52 AM on March 20, 2013: none

It's too difficult to verify that the Bitcoin downloads aren't MITMed.

bitcoin.org is http, not https, and prominently links to a bunch of http downloads.

sourceforge is http only and while it has a SHASUMS.asc file, that is also served over http.

I can get the bitcoin source from github using ssh or https, but:

$ git grep 94761c70572b8ede8721524bb0317ede2d3723ce | wc -l 0

I can't see the SHA1 sums of previous releases in the git repo anywhere. (which one http file says is the hash of bitcoin-0.8.1-linux.tar.gz)

bitcoin.org should also say how to verify downloads.
gmaxwell commented at 12:55 AM on March 20, 2013: contributor

The sha1sums file is cryptographically signed. HTTPS does not provide strong protection, you'd want to check the signatures in any case. There is even a script included with Bitcoin to check the signatures on the site.
bradfitz commented at 1:03 AM on March 20, 2013: none

echo "gpg error. Do you have Gavin's code signing key installed?"

Okay, contrib/verifysfbinaries/verify.sh is nice. But where do I securely find "Gavin"'s signing key?

I see http://bitcoin.org/gavinandresen.asc but what's the expected digest of that file?

Couldn't the script slurp that and check its digest, or at least tell me what to expect?
bradfitz commented at 1:10 AM on March 20, 2013: none

Okay, I've found https://github.com/bitcoin/bitcoin.org/blob/master/gavinandresen.asc

Consider this bug a documentation/linkage request.
laanwj commented at 12:25 PM on January 10, 2014: member

The downloads are verifiable using the GPG-signed signatures, closing.
laanwj closed this on Jan 10, 2014
DrahtBot locked this on Sep 8, 2021

Contributors

Labels