Closed yancyribbens closed 5 years ago
ruimarinho
commented
5 years ago I don't think that's the case @yancyribbens because the SHA256SUMS file is signed, so you would have to compromise the private key of laanwj. However, I do agree the best practice would be not to blindly trust the public key asc download from bitcoin.org. I think that's where we need an additional check.
yancyribbens
commented
5 years ago @ruimarinho thanks for the reply. I think you're right if there's a step to verify this is a key owned by laanwj for example, but there would need to be some way for this verification to happen (either manually or otherwise). As it is currently, both the signature and the binary could change to match on bitcoin.org and nobody would be the wiser. In some sense, I think blindly trusting bitcoin.org is needed since the build is provided there, but if the binary was provided external to bitcoin.org this extra step would add authentication.
ruimarinho
commented
5 years ago I will be pushing an update which fetches the release key by id from public key servers instead.
I'm wondering if there's any concern about relying on gpg from the same source as where the tarball has been downloaded.
The SHA256SUMS downloads from
https://bitcoin.org/bin..and then the.tar.gzdownloads from the same source. If the GPG is used to verify there was no man in the middle attack or some other subterfuge, should the sha256 sum be supplied from a different location?