Feathercoin daemon and wallet production version 0.16.3
Attention!!!! If you are running a Feathercoin version other than 0.16.3 upgrade imediately to 0.16.3 . It contains an important bug fix

PGP-Signatures of Feathercoin-binaries


  • Regular Member | Tip curiosity81

    Hi,

    why can’t you also provide the corresponding signatures at the download page:

    https://www.feathercoin.com/

    ???

    Clearly, an experienced user will dig deeper and will look into the github-respository (which can also be found at the page above):

    https://github.com/FeatherCoin/Feathercoin

    There, one has to find the link to the release history (below “What is Feathercoin?”):

    https://github.com/FeatherCoin/Feathercoin/releases

    Here, signatures can be found (asc-files). However, still the public key-ID is missing, with which the binaries can be verified. Obviously, a

    gpg --verify feathercoin-0.13.0-linux32.tar.gz.asc feathercoin-0.13.0-linux32.tar.gz

    Tells one, which key must be imported: 4751434E. So asking

    https://keyserver.ubuntu.com

    for “peter bushnell” returns

    https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=peter+bushnell&fingerprint=on

    At least this seems fine even though the key was registered 2018-02-19 and thus is quite new. Anyone could have provided the binaries and anyone could have registered the key under the name “peter bushnell”.

    Is it so hard to put also the signatures as well as the key-ID on the download page?

    Regards,
    cu


  • Moderators | Tip AcidD

    hello @curiosity81

    I’m not sure I follow. all the links to on www.feathercoin.com map back to github…

    Are you asking for the PGP keys to be linked on the main site ?


  • Regular Member | Tip curiosity81

    Hi AcidD,

    Are you asking for the PGP keys to be linked on the main site ?

    exactly! This is is what I am complaining about. It would be much better to list or link the gpg public keys prominently at www.feathercoin.com. As well as the forum ID of the person to whom the keys belong.

    It’s like: “Hey guys, even if I cannot fully proof, that the correct person has built the binaries but here is the link to the gpg public keys. If I am a hacker then I must have hacked the feathercoin main page, the github repository as well as the corresponding forum account. This is very very unlikely.”

    Last but not least, each coin project “hides” the signatures and keys differently. And it is often some work to get the needed information. If google is necessary to find this information, then it is too hard for the average person to verify the binaries.

    And if someone uses an unverified and altered binary and loses real money, then this is bad publicity for feathercoin. (Showing that “There is no such thing as bad publicity” is not always true!)

    Best regards,
    cu


  • Moderators | Tip AcidD

    Hi @curiosity81

    Thanks for this suggestion, I’ve raised it with our Team.