Bitcoin 0.9.3 Signing Issues #4992

issue mmerickel opened this issue on September 27, 2014
  1. mmerickel commented at 8:17 PM on September 27, 2014: none

    I apologize ahead of time if this is the wrong repository for this issue, please redirect me to the right spot.

    https://bitcoin.org/bin/0.9.3/SHA256SUMS.asc fails to validate against Gavin's code signing key 2664 6D99 CBAE C9B8 1982 EF60 29D9 EE6B 1FC7 30C1 with which previous releases were signed.

    Also when installing the actual application, the binary in https://bitcoin.org/bin/0.9.3/bitcoin-0.9.3-macosx.dmg is unsigned which is causing the prompt:

    "Bitcoin-Qt.app" can't be opened because the identity of the developer cannot be confirmed.

    I do not have this issue running 0.9.2.1 or 0.9.2, or previous versions. Was something messed up during the release of 0.9.3?

  2. luke-jr commented at 10:42 PM on September 27, 2014: member

    SHA256SUMS.asc just has the release manager's signature. See https://github.com/bitcoin/gitian.sigs/tree/master/0.9.3 for signatures by a specific person.

  3. mmerickel commented at 1:44 AM on September 28, 2014: none

    Ok, I was thinking Gavin was the only person based on comments here:

    https://github.com/bitcoin/bitcoin/blob/a38eaea082692d0dac6996dcace2084cd7f29179/doc/release-process.md#after-3-or-more-people-have-gitian-built-and-their-results-match

    Is that section incorrect?

    What about the issue with Bitcoin-Qt.app? I can make it a separate issue if necessary but since it was signing-related I mentioned it here.

  4. laanwj added the label Mac on Sep 28, 2014
  5. laanwj commented at 10:20 AM on September 28, 2014: member

    SHA256SUMS.asc is signed by me this time. Thanks for noticing, so there are actually people that check this.

    I don't know about the MacOSX executable corrupt issue. The normal code signing key was used there. Maybe @theuni can help.

  6. Diapolo commented at 2:19 PM on September 28, 2014: none

    I also used the file to check the hash of the Windows zip, which was correct ;).

  7. gdvine commented at 4:57 PM on September 28, 2014: none

    Confirmed 0.9.3 can be installed but NOT opened in OS X.

  8. gavinandresen commented at 5:23 PM on September 28, 2014: contributor

    Downloads and installs for me on OSX 10.9.something and 10.8.5.

    What version of OSX is not working?

  9. mmerickel commented at 5:27 PM on September 28, 2014: none

    @gavinandresen I'm running 10.9.5 (current latest). Like I said 0.9.2.1 works fine but installing 0.9.3 on top causes the error when opening the app. Copying 0.9.2.1 back on top allows the old version to open fine.

  10. gavinandresen commented at 5:30 PM on September 28, 2014: contributor

    Do you have the developer tools installed? Can you mount the release .dmg and then run: codesign -d -v /Volumes/Bitcoin-Qt/Bitcoin-Qt.app/

    I get:

    codesign -d -v /Volumes/Bitcoin-Qt/Bitcoin-Qt.app/
Executable=/Volumes/Bitcoin-Qt/Bitcoin-Qt.app/Contents/MacOS/Bitcoin-Qt
Identifier=org.bitcoinfoundation.Bitcoin-Qt
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=153516 flags=0x0(none) hashes=7668+3 location=embedded
Signature size=8543
Timestamp=Sep 26, 2014 10:45:34 AM
Info.plist entries=16
Sealed Resources rules=4 files=11
Internal requirements count=1 size=192
  11. mmerickel commented at 5:35 PM on September 28, 2014: none

    I'm using the Xcode 6.0.1 tools. My output is slightly different than yours (I have a TeamIdentifier entry).

    For 0.9.3 I see

    Executable=/Volumes/Bitcoin-Qt/Bitcoin-Qt.app/Contents/MacOS/Bitcoin-Qt
Identifier=org.bitcoinfoundation.Bitcoin-Qt
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=153516 flags=0x0(none) hashes=7668+3 location=embedded
Signature size=8543
Timestamp=Sep 26, 2014, 9:45:34 AM
Info.plist entries=16
TeamIdentifier=PBV4GLS9J4
Sealed Resources version=2 rules=12 files=27
Internal requirements count=1 size=192

    For 0.9.2.1 I see

    Executable=/Volumes/Bitcoin-Qt/Bitcoin-Qt.app/Contents/MacOS/Bitcoin-Qt
Identifier=org.bitcoinfoundation.Bitcoin-Qt
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=153121 flags=0x0(none) hashes=7649+3 location=embedded
Signature size=8544
Timestamp=Jun 19, 2014, 9:42:50 AM
Info.plist entries=16
TeamIdentifier=not set
Sealed Resources version=1 rules=4 files=11
Internal requirements count=1 size=192

    The notable difference is that the TeamIdentifier is not set for 0.9.2.1.

  12. mmerickel renamed this:
    Bitcoin Release Signatures for 0.9.3 are not signed by Gavin
    Bitcoin 0.9.3 Signing Issues
    on Sep 28, 2014
  13. toffoo commented at 6:03 AM on September 29, 2014: none

    I am on OSX 10.9.5 and can confirm I get the '"Bitcoin-Qt.app" can't be opened because the identity of the developer cannot be confirmed.' error on startup, if you have Gatekeeper security protection enabled (set to "Mac App Store and identified developers" which I believe is the default now).

    Of course you can still run the executable if you right-click and use Open from the contextual menu in Finder, and then accept the security warning.

    Here's my:

    codesign -d -v /Volumes/Bitcoin-Qt/Bitcoin-Qt.app/
Executable=/Volumes/Bitcoin-Qt/Bitcoin-Qt.app/Contents/MacOS/Bitcoin-Qt
Identifier=org.bitcoinfoundation.Bitcoin-Qt
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=153516 flags=0x0(none) hashes=7668+3 location=embedded
Signature size=8543
Timestamp=Sep 26, 2014, 11:45:34 AM
Info.plist entries=16
TeamIdentifier=PBV4GLS9J4
Sealed Resources version=2 rules=12 files=27
Internal requirements count=1 size=192

    I can also confirm that both the SHA256SUM and laanwj's gpg signature look fine to me:

    gpg -v SHA256SUMS.asc 
Hash: SHA512
gpg: armor header: 
Version: GnuPG v1
gpg: armor header: 
gpg: original file name=''
gpg: Signature made Fri Sep 26 12:41:55 2014 BRT using RSA key ID 2346C9A6
gpg: requesting key 2346C9A6 from hkp server keys.gnupg.net
Version: SKS 1.1.5
gpg: armor header: 
Comment: Hostname: keyserver.nausch.org
gpg: armor header: 
gpg: pub  2048R/2346C9A6 2011-08-24  Wladimir J. van der Laan <laanwj@gmail.com>
gpg: using PGP trust model
gpg: key 2346C9A6: public key "Wladimir J. van der Laan <laanwj@gmail.com>" imported
gpg: 11 keys cached (223 signatures)
gpg: 2 keys processed (5 validity counts cleared)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2015-08-18
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Wladimir J. van der Laan <laanwj@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 71A3 B167 3540 5025 D447  E8F2 7481 0B01 2346 C9A6
gpg: textmode signature, digest algorithm SHA512

shasum -a 256 bitcoin-0.9.3-macosx.dmg 
75e0dc0078710431bfbdefc5ff804928db808b03781a6bd2bfb9197f5762445e  bitcoin-0.9.3-macosx.dmg

    but I can understand if there was confusion on this because it was a SHA256SUM this time and was SHA1 before and maybe with the SHA512 hash from gpg vs. SHA256SUM signature for the binary.

    Also, there is almost certainly some confusion regarding these two completely separate and different code security schemes.

    The gpged SHA1/SHA256 signatures have always worked fine for me. I'm going from memory here, but I don't think the Mac/Gatekeeper code signature thing has ever worked for me, and I've always had to open the executable with the Finder/Open/Accept bypass the first time.

  14. luke-jr commented at 6:14 AM on September 29, 2014: member

    @toffoo Can you elaborate on what "the security warning" says?

  15. toffoo commented at 6:23 AM on September 29, 2014: none

    '"Bitcoin-Qt.app" can't be opened because the identity of the developer cannot be confirmed.'

    That is a direct quote. It doesn't elaborate.

    It is a pretty standard Gatekeeper error box that pops up the first time you attempt to open a binary where the code signature verification fails, for whatever reason. I don't know enough about how Gatekeeper works to diagnose why it's failing. The proper stuff looks like it's in the right place in the package to me.

  16. laanwj commented at 7:25 AM on September 29, 2014: member

    Could be this change: e3d8d586596515fa02ec1b6b2068c94b6656ecdf

  17. gavinandresen commented at 1:27 PM on September 29, 2014: contributor

    Back in my office, I'm running 10.9.4. I'll upgrade to 10.9.5 and see if I can reproduce.

  18. laanwj commented at 2:56 PM on September 29, 2014: member

    New dmg has been uploaded to https://bitcoin.org/bin/0.9.3/

  19. gavinandresen commented at 3:01 PM on September 29, 2014: contributor

    FYI: OSX 10.9.4 was happy with the Qt frameworks inside the .app being copied from Versions/5/ to Versions/Current/

    OSX 10.9.5 refused to sign the bundle unless Versions/Current/ were symbolic links.

    I'll submit a pull request for our contrib/macdeploy/ tool to fix.

  20. theuni commented at 4:58 PM on September 29, 2014: member

    @gavinandresen e3d8d5865 should make the symlinks as necessary. The dmg worked fine for me when I tested, but I also never dropped it in on top of an older release. Looking now.

  21. mmerickel commented at 9:13 PM on September 29, 2014: none

    I can confirm the latest download from https://bitcoin.org/bin/0.9.3/bitcoin-0.9.3-macosx.dmg (sha256 251938650bd79681dd93dcce346589aa5d1217d012a6f8e749165ef2149662d2) opens fine for me.

    Thanks guys for looking into this!

  22. theuni commented at 9:35 PM on September 29, 2014: member

    fix for macdeployplus is coming up, I'm just verifying that it works everywhere first. Thanks @gavinandresen for the gist, that was a big help.

  23. toffoo commented at 3:55 AM on September 30, 2014: none

    The new bitcoin-0.9.3-macosx.dmg works fine for me as well. Thanks for the fast fix guys.

  24. gavinandresen closed this on Oct 1, 2014
  25. michaelbnewman commented at 11:41 AM on October 4, 2014: none

    Is there a central place on bitcoin.org (or github) listing each developer's public key (ASC) file? I found https://bitcoin.org/laanwj.asc via a Google search, but doubt other interested people will likely find it that way. Would be handy if that info was linked on https://bitcoin.org/en/download

  26. fanquake commented at 11:44 AM on October 4, 2014: member

    @michaelbnewman See https://bitcoin.org/en/development

  27. MarcoFalke locked this on Sep 8, 2021
Contributors
mmerickelluke-jrlaanwjDiapologdvinegavinandresentoffootheunimichaelbnewmanfanquake
Labels
macOS
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-21 18:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me