How do outsiders know that the bitcoin.com wallet code on GitHub is legitimate?
How do outsiders know that the wallets they are downloading are really from bitcoin.com?
I am sure you must have heard about the Linux Mint hack where backdoored ISOs were placed on their servers. What exactly is stopping a hacker getting into the bitcoin.com web servers and replacing the wallet binaries with backdoored ones which send funds to an attacker's wallet whenever a transaction is sent? Web servers are notoriously insecure.
To fix this:
You need to sign all your commits with GPG.
You need to add a version tag and sign all your code releases on GitHub.
You need to add a detached GPG signature for all wallet binary downloads.
You need to submit your signing public keys to a key server.
You need to submit your signing public keys to another site so users can do cross verification of the public key e.g. keybase.io.
jooray
commented
6 years ago
How do outsiders know that the bitcoin.com wallet code on GitHub is legitimate?
How do outsiders know that the wallets they are downloading are really from bitcoin.com?
I am sure you must have heard about the Linux Mint hack where backdoored ISOs were placed on their servers. What exactly is stopping a hacker getting into the bitcoin.com web servers and replacing the wallet binaries with backdoored ones which send funds to an attacker's wallet whenever a transaction is sent? Web servers are notoriously insecure.
To fix this:
Required reading: