Mike Hearn [ARCHIVE] on Nostr: ๐ Original date posted:2014-03-22 ๐ Original message:In case you didn't see ...
๐
Original date posted:2014-03-22
๐ Original message:In case you didn't see this yet,
http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
If you're using PGP to verify Bitcoin downloads, it's very important that
you check you are using the right key. Someone seems to be creating fake
PGP keys that are used to sign popular pieces of crypto software, probably
to make a MITM attack (e.g. from an intelligence agency) seem more
legitimate.
I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign
the Windows binaries? If not it'd be a good idea, if only because AV
scanners learn key reputations to reduce false positives. Of course this is
not a panacea, and Linux unfortunately does not support X.509 code signing,
but having extra signing can't really hurt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140322/c95184e6/attachment.html>;
๐ Original message:In case you didn't see this yet,
http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
If you're using PGP to verify Bitcoin downloads, it's very important that
you check you are using the right key. Someone seems to be creating fake
PGP keys that are used to sign popular pieces of crypto software, probably
to make a MITM attack (e.g. from an intelligence agency) seem more
legitimate.
I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign
the Windows binaries? If not it'd be a good idea, if only because AV
scanners learn key reputations to reduce false positives. Of course this is
not a panacea, and Linux unfortunately does not support X.509 code signing,
but having extra signing can't really hurt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140322/c95184e6/attachment.html>;