MyCrypto icon indicating copy to clipboard operation
MyCrypto copied to clipboard

Published 20 hours ago verified publisher icon MyCryptoHQ

1.7.17 checksums.txt.gpg signature verification fails: No public key

Open powerman opened this issue 3 years ago • 4 comments
trafficstars

Looks like file is signed using different key.

Console Logs / Screenshots

$ curl https://keybase.io/tayvano/pgp_keys.asc | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3098  100  3098    0     0   5389      0 --:--:-- --:--:-- --:--:--  5867
gpg: key 0x697F4D4B81B15C84: public key "Taylor <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --list-key 0x697F4D4B81B15C84
pub   rsa2048/0x697F4D4B81B15C84 2017-11-10 [SC]
      1B7A2D12DE76F0F0A2153B62697F4D4B81B15C84
uid                   [ unknown] Taylor <[email protected]>
sub   rsa2048/0x7CF40C83CF3249B7 2017-11-10 [E] [expires: 2023-12-15]

$ gpg --output checksums.txt --decrypt checksums.txt.gpg
gpg: Signature made Sat Jan 29 04:12:06 2022 EET
gpg:                using RSA key 45A031AB34C9050DD0BD2844FF0ED3C3ABC76446
gpg: Can't check signature: No public key

$ cat checksums.txt
FILENAME                             	SHA256
linux-i386_1.7.17_MyCrypto.AppImage  	80b06558f41724199a8e09c6ed462899c79b6999d7f8c9a065d62f86333f0dbc
linux-x86-64_1.7.17_MyCrypto.AppImage	20eb48989b5ae5e60e438eff6830ac79a0d89ac26dff058097260e747e866444
mac_1.7.17_MyCrypto.dmg              	8fe2652697b0557f7e221d0c960aa9e36a54445f12e7396a193cc5c5ad6ded06
standalone_1.7.17_MyCrypto.zip       	f8538c82eef7a5dfba790cfd9221e782b998554071cbcb8f0c33c2a9f374a262
windows_1.7.17_MyCrypto.exe          	1f2b3380448e7c6517c9ddd0a6afef229442c43536d17ee9b41d8ed06116087c

powerman avatar Sep 10 '22 13:09 powerman

This is my output from gpg --output checksums.txt --decrypt checksums.txt.gpg

gpg: Signature made Fri Jan 28 21:12:06 2022 EST
gpg:                using RSA key 45A031AB34C9050DD0BD2844FF0ED3C3ABC76446
gpg: Good signature from "Taylor Monahan <[email protected]>" [unknown]
gpg:                 aka "Taylor Monahan <[email protected]>" [unknown]
gpg:                 aka "Taylor Monahan <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 018C 1E66 A1E4 F215 2ADA  8DD9 8DAD C5E5 1848 6550
     Subkey fingerprint: 45A0 31AB 34C9 050D D0BD  2844 FF0E D3C3 ABC7 6446

jgerardsimcock avatar Sep 13 '22 13:09 jgerardsimcock

yarn test:e2e:dev tests/dashboard.test.js

MyTrueWallet avatar Sep 19 '22 09:09 MyTrueWallet

Looks like file is signed using different key.

Console Logs / Screenshots

$ curl https://keybase.io/tayvano/pgp_keys.asc | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3098  100  3098    0     0   5389      0 --:--:-- --:--:-- --:--:--  5867
gpg: key 0x697F4D4B81B15C84: public key "Taylor <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --list-key 0x697F4D4B81B15C84
pub   rsa2048/0x697F4D4B81B15C84 2017-11-10 [SC]
      1B7A2D12DE76F0F0A2153B62697F4D4B81B15C84
uid                   [ unknown] Taylor <[email protected]>
sub   rsa2048/0x7CF40C83CF3249B7 2017-11-10 [E] [expires: 2023-12-15]

$ gpg --output checksums.txt --decrypt checksums.txt.gpg
gpg: Signature made Sat Jan 29 04:12:06 2022 EET
gpg:                using RSA key 45A031AB34C9050DD0BD2844FF0ED3C3ABC76446
gpg: Can't check signature: No public key

$ cat checksums.txt
FILENAME                             	SHA256
linux-i386_1.7.17_MyCrypto.AppImage  	80b06558f41724199a8e09c6ed462899c79b6999d7f8c9a065d62f86333f0dbc
linux-x86-64_1.7.17_MyCrypto.AppImage	20eb48989b5ae5e60e438eff6830ac79a0d89ac26dff058097260e747e866444
mac_1.7.17_MyCrypto.dmg              	8fe2652697b0557f7e221d0c960aa9e36a54445f12e7396a193cc5c5ad6ded06
standalone_1.7.17_MyCrypto.zip       	f8538c82eef7a5dfba790cfd9221e782b998554071cbcb8f0c33c2a9f374a262
windows_1.7.17_MyCrypto.exe          	1f2b3380448e7c6517c9ddd0a6afef229442c43536d17ee9b41d8ed06116087c

yarn test:e2e:dev tests/dashboard.test.js

MyTrueWallet avatar Sep 19 '22 09:09 MyTrueWallet

yarn test:e2e:dev tests/dashboard.test.js

Sorry, I don't get it. Looks like this command is supposed to run some tests, but how is this replies to the issue?

powerman avatar Sep 19 '22 12:09 powerman

$ gpg --list-key 0x697F4D4B81B15C84 pub rsa2048/0x697F4D4B81B15C84 2017-11-10 [SC] 1B7A2D12DE76F0F0A2153B62697F4D4B81B15C84 uid [ unknown] Taylor [email protected] sub rsa2048/0x7CF40C83CF3249B7 2017-11-10 [E] [expires: 2023-12-15]

$ gpg --output checksums.txt --decrypt checksums.txt.gpg gpg: Signature made Sat Jan 29 04:12:06 2022 EET gpg: using RSA key 45A031AB34C9050DD0BD2844FF0ED3C3ABC76446 gpg: Can't check signature: No public key

The issue is the checksums.txt is signed with a different key than https://support.mycrypto.com/staying-safe/verifying-authenticity-of-desktop-app/ advises to download. And that other key (45A031AB34C9050DD0BD2844FF0ED3C3ABC76446) is not signed with the former, so the current situation looks like somebody unauthorized replaced the signature with look-alike one. Until clarified nobody should use those binaries, they may be compromised.

marmarek avatar Sep 26 '22 13:09 marmarek

Looks like file is signed using different key.

Console Logs / Screenshots

$ curl https://keybase.io/tayvano/pgp_keys.asc | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3098  100  3098    0     0   5389      0 --:--:-- --:--:-- --:--:--  5867
gpg: key 0x697F4D4B81B15C84: public key "Taylor <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --list-key 0x697F4D4B81B15C84
pub   rsa2048/0x697F4D4B81B15C84 2017-11-10 [SC]
      1B7A2D12DE76F0F0A2153B62697F4D4B81B15C84
uid                   [ unknown] Taylor <[email protected]>
sub   rsa2048/0x7CF40C83CF3249B7 2017-11-10 [E] [expires: 2023-12-15]

$ gpg --output checksums.txt --decrypt checksums.txt.gpg
gpg: Signature made Sat Jan 29 04:12:06 2022 EET
gpg:                using RSA key 45A031AB34C9050DD0BD2844FF0ED3C3ABC76446
gpg: Can't check signature: No public key

$ cat checksums.txt
FILENAME                             	SHA256
linux-i386_1.7.17_MyCrypto.AppImage  	80b06558f41724199a8e09c6ed462899c79b6999d7f8c9a065d62f86333f0dbc
linux-x86-64_1.7.17_MyCrypto.AppImage	20eb48989b5ae5e60e438eff6830ac79a0d89ac26dff058097260e747e866444
mac_1.7.17_MyCrypto.dmg              	8fe2652697b0557f7e221d0c960aa9e36a54445f12e7396a193cc5c5ad6ded06
standalone_1.7.17_MyCrypto.zip       	f8538c82eef7a5dfba790cfd9221e782b998554071cbcb8f0c33c2a9f374a262
windows_1.7.17_MyCrypto.exe          	1f2b3380448e7c6517c9ddd0a6afef229442c43536d17ee9b41d8ed06116087c

Definitely a hacker!!!!!

MyTrueWallet avatar Sep 27 '22 03:09 MyTrueWallet

Hi @powerman, @jgerardsimcock, @marmarek

We have re-signed the checksum file with the correct key, so please re-download it from the release page (https://github.com/MyCryptoHQ/MyCrypto/releases/tag/1.7.17)

If you have any more issues with this please open a new issue (or DM me on Twitter)

409H avatar Sep 27 '22 20:09 409H