RavenProject
PGP signatures
Hello
I would appreciate if the binaries start to use PGP signatures and be signed by someone that has a PGP public in some places, showing the PGP fingerprint on twitter and even the project home page and other social media.
And also a small guide to how to verify the signatures it would be nice.
I don't know if the mining software is signed or not but I it would be nice to have all software signed.
Best regards.
Hello
I would appreciate if the binaries start to use PGP signatures and be signed by someone that has a PGP public in some places, showing the PGP fingerprint on twitter and even the project home page and other social media.
And also a small guide to how to verify the signatures it would be nice.
I don't know if the mining software is signed or not but I it would be nice to have all software signed.
Best regards.
please read this https://www.howtogeek.com/363735/what-is-a-checksum-and-why-should-you-care/
@vaginas I believe @JoshuaAmsden may be referring to the current way the software authenticity is being established: https://github.com/RavenProject/Ravencoin/releases/download/v2.2.2/raven-2.2.2.0-win64-setup.exe.sha256sum and https://github.com/RavenProject/Ravencoin/releases/download/v2.2.2/raven-2.2.2.0-win64-setup.exe.md5sum et al at https://github.com/RavenProject/Ravencoin/releases which offer a verification of the sha256 or md5 hash in a similar way to the way PGP makes the guarantee.
Of course the difference to the current way is with a public PGP key compared to the md5 and sha256 signing sums is that public PGP keys aren't as fakeable at the source. For instance someone could just upload a bad sha256 sum for the packages, indicating they were not meddled with when they in fact had been.
The suggestion of PGP offers end to end encryption, meaning it is much more difficult to fake the fingerprint. Pretty Good Protection - is likely the biggest understatement there is.
TLDR here is that the sha256 and md5sum can be replaced by a hack of the site. Whereas the PGP key , a PGP or GPG signature on the other hand , in theory can be only be generated by the owner of the corresponding private key. Whereas the md5sum or sha256sum fingers presently used for distribution can be generated by anyone with access to the file. So the PGP is way better. The Md5sum and sha256sums are just fingerprints of the file in other words, but the known GPG key holder would be able to guarantee the file was distributed by the privatekey - something the sha256sum and md5sums fail to achieve namely being only fingerprints - any fingerprint can be given - but with GPG/PGP only the issuer private key can give the fingerprint, altho this does rely on the known public key being safe too. It is still far more secure.
Best, push
@vaginas this is correct. PGP is loads better and I believe I stated to that effect in my last post with, the reason being is because PGP it secures the source, whereas the MD5 and SHA256 at the source of download, is only as useful as the security of the filsystem and root serving it.
Although if root of the person who owns the PGP private cert is comrpomised anybody can impersonate them in the same way.
But its important distinction to note the PGP certificate cant be compromised at the webserver level, like the SHA and MD5 sums can be.
That's why I consider your suggestion to use PGP a rather worthy one chap.
Best, Adam
Hey @vaginas and @ravenlandpush the process is extremely straightforward and documented here: https://github.com/RavenProject/Ravencoin/tree/master/static-builds#checksum-all-the-binaries We just need @cfox @TronBlack @blondfrogs to get the automated build system to do it.
First, download the pgp pub keys of the trusted signer:
gpg --import signing_key.pub //Trons or blondfrogs published public key downloaded from some tbd location
For a sample local validation script to check these checksums, change the version and tag to your choice of release in the script and:
call the following sh script with validate.sh --verify-ravencoin-download
#!/bin/bash
set -e
root_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/.."
platform=`uname -a | awk '{print tolower($1)}'`
arch=`uname -m`
version="2.2.2.0"
url="https://github.com/RavenProject/Ravencoin/releases/download"
tag="v2.2.2"
if [ "${platform}" == "linux" ]; then
if [ "${arch}" == "x86_64" ]; then
tarball_name="raven-${version}-x86_64-linux-gnu.tar.gz"
fi
elif [ "${platform}" == "darwin" ]; then
tarball_name="raven-${version}-osx64.tar.gz"
else
echo "Ravencoin binary distribution not available for platform and architecture"
exit -1
fi
binary_url="${url}/${tag}/${tarball_name}"
shasums_url="${url}/${tag}/SHA256SUMS.asc"
download_ravend() {
cd "${root_dir}/bin"
echo "Downloading ravencoin: ${binary_url}"
is_curl=true
if hash curl 2>/dev/null; then
curl --fail -I $binary_url >/dev/null 2>&1
else
is_curl=false
wget --server-response --spider $binary_url >/dev/null 2>&1
fi
if test $? -eq 0; then
if [ "${is_curl}" = true ]; then
curl -L $binary_url > $tarball_name
curl -L $shasums_url > SHA256SUMS.asc
else
wget $binary_url
wget $shasums_url
fi
if test -e "${tarball_name}"; then
echo "Unpacking ravencoin distribution"
tar -xvzf $tarball_name
if test $? -eq 0; then
ln -sf "raven-${version}/bin/ravend"
return;
fi
fi
fi
echo "Ravencoin binary distribution could not be downloaded"
exit -1
}
verify_download() {
echo "Verifying signatures of ravencoin download"
gpg --verify "${root_dir}/bin/SHA256SUMS.asc"
if hash shasum 2>/dev/null; then
shasum_cmd="shasum -a 256"
else
shasum_cmd="sha256sum"
fi
download_sha=$(${shasum_cmd} "${root_dir}/bin/${tarball_name}" | awk '{print $1}')
expected_sha=$(cat "${root_dir}/bin/SHA256SUMS.asc" | grep "${tarball_name}" | awk '{print $1}')
echo "Checksum (download): ${download_sha}"
echo "Checksum (verified): ${expected_sha}"
if [ "${download_sha}" != "${expected_sha}" ]; then
echo -e "\033[1;31mChecksums did NOT match!\033[0m\n"
exit 1
else
echo -e "\033[1;32mChecksums matched!\033[0m\n"
fi
}
download=1
verify=0
if [ "${SKIP_RAVENCOIN_DOWNLOAD}" = 1 ]; then
download=0;
fi
if [ "${VERIFY_RAVENCOIN_DOWNLOAD}" = 1 ]; then
verify=1;
fi
while [ -n "$1" ]; do
param="$1"
value="$2"
case $param in
--skip-ravencoin-download)
download=0
;;
--verify-ravencoin-download)
verify=1
;;
esac
shift
done
if [ "${download}" = 1 ]; then
download_ravend
fi
if [ "${verify}" = 1 ]; then
verify_download
fi
exit 0
@ravenlandpush it would unfeasible to pgp sign a binary directly.
@vaginas to manually verify the sha256sums.asc you could:
gpg --import signing_key.pub //Trons or blondfrogs published public key downloaded from some tbd location
gpg --verify sha256sums.asc
To see what this would look like in action checkout my mockup of a release at: https://github.com/underdarkskies/Ravencoin/releases
Great work @underdarkskies, thanks for doing this! So much simpler than modifying the binary.
The problem I see, unless I misunderstand is that the sha256sums at the git source can still be tampred with, but in this case they'll never match the gpg -verify, so we're golden; unless the git source and the GPG location are compromised. An unlikely affair, but what about;
Compare multiple sources of the PGP pubkey from a stringurl, perhaps, instead of just a single gpg key source? if any one of them fails then you could set say verify_pgp_source1=1, verify_pgp_source2=1, verify_pgp_source3=0; and then a function to compare the verify source variables before proceeding. Maybe this is something you already envisage, thought I'd mention it though.
Thanks again for your work on this. Script looking great 👍
Best, Adam