search

bitpay / bitcore-wallet-service

A multisig, HD Bitcoin and Bitcoin Cash wallet service. Used by Copay.
https://copay.io/
MIT License
617 stars 544 forks source link

Non trusted signature OK? #626

Open ChrisMiami opened 7 years ago

ChrisMiami commented 7 years ago

When I downloaded CoPay and verified the MacOS disk image, the output I got suggests that trusting the file is totally up to me: signature was good, but it is untrusted. Little better than not checking, IMHO.

gpg: Signature made Wed Jan 18 14:30:12 2017 EST using DSA key ID 1112CFA1 gpg: Good signature from "Copay (visit copay.io) copay@bitpay.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9D17 E656 BB3B 6163 AE9D 7172 5CD6 00A6 1112 CFA1

Any chance to get a trusted signature? Or did I just get a hacked copy of the distribution?

matiu commented 7 years ago

That is the right signature, see: https://github.com/bitpay/copay#how-to-verify-copay-signatures

On Thu, Jan 26, 2017 at 2:22 PM, ChrisMiami notifications@github.com wrote:

When I downloaded CoPay and verified the MacOS disk image, the output I got suggests that trusting the file is totally up to me: signature was good, but it is untrusted. Little better than not checking, IMHO.

gpg: Signature made Wed Jan 18 14:30:12 2017 EST using DSA key ID 1112CFA1 gpg: Good signature from "Copay (visit copay.io) copay@bitpay.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9D17 E656 BB3B 6163 AE9D 7172 5CD6 00A6 1112 CFA1

Any chance to get a trusted signature? Or did I just get a hacked copy of the distribution?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/bitpay/bitcore-wallet-service/issues/626, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGCHEYN_JHaVTM4WQkMAT3dnnWgP_SBks5rWNZWgaJpZM4Lu5wo .

-- BitPay.com

dabura667 commented 7 years ago

"Trusted" in this context means "you have not added this public key to your web of trust."

Normally, to prevent MITM attacks, people meet in person at conferences and sign each other's keys, which basically states "I have verified directly from the person themself in person that this key is actually theirs, and I trust them to be honest and not lie about who they have verified"

If you trust that only Bitpay has control over their website and SSL cert, then the only other way someone could MITM attack you is if they control your browser or your PC. So ascertain your risk factor (probably extremely low) and decide whether you want to trust the executable.

tl;dr "Trust" in that context is not relevant to 99% of users. Though you will want to have a strong presence on the web of trust for situations like your website getting hacked... (but there's also the possibility that their pgp key could be stolen, in which case they should revoke and rekey immediately)

dabura667 commented 7 years ago

I can also verify that the key fingerprint you pasted matches the fingerprint I have on my record.