This repository has been archived by the owner on Feb 21, 2019. It is now read-only.
REQ: Post file sigs with releases and on bitshares.org official download page #1529
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
Bitshares releases on github currently published a list of SHA1 digest's for the files.
While good, this is not as strong as it could be for cryptocurrency software releases.
Bitcoin.org publishes a signed list of SHA256 hashes and the public keys, which can be verified from other sources.
Dash publishes 2 developer GPG keys and asc signatures of its release, which again can be checked against other sources,
I do acknowledge that the windows .exe is signed by the Open Source key which offers some protection against tampering with the binary, but Authenticode is not as good as a whole of file hash and sign.
It would be great if the community could check downloads signatures, especially from places that have reason to attack github or the bitshares project. An attack on the download of signed binaries with out-of-band verifiable key exchange is far more difficult than an attack on an in-band hash and binary download.
It would be supercool if the official bitshares download page also published a sig/hash/key set too!
Thanks,
MiW
The text was updated successfully, but these errors were encountered: