Code Signing - Signing our binaries and setup files.

AcidD

Hi All,

I wanted to collect the information we have on code signing as well as open the discussion for it.

The bitcoin binaries, setup.exe files and .app files are all signed by the Bitcoin Foundation.

Below is Bitcoin 0.13.2 windows setup.exe
alt text

Now check out some of these interesting links

https://gitian.org/
https://www.reddit.com/r/Bitcoin/wiki/verifying_bitcoin_core
https://bitcointalk.org/index.php?topic=1588906.0
http://bitcoin.stackexchange.com/questions/50185/how-to-verify-bitcoin-core-release-signing-keys/50186

We can also use our own PGP keys to sign the binaries, we’d have to post our public keys in order for people to be able to verify the authenticity of the application.

Doing the above can prove we built/compiled the code to some degree but it does not help us with the below
http://forum.feathercoin.com/topic/8768/dev-release-candidate-feathercoin-0-9-6-checklist-final-issues/10

The above link shows two screen shots from windows and mac - the screen shots show what happens when an unsigned app runs on Windows and OSX.

https://www.google.co.uk/search?site=imghp&tbm=isch&source=hp&biw=1600&bih=770&q=unsigned+app&oq=unsigned+app&#tbm=isch&q=mac+windows+unknown+developer+publisher

.
I guess now we discuss ;-)

Wellenreiter

I think at least for windows, the popup still will show asking for allowance to install the binary, but it will show the user named in the key instead of ‘unknown’

As apple has a really strict policy on it’s software, I’m not sure, if the message will disappear.

One solutution could be to use app store to host the application. That would mean, someone has to register as developer and ‘own’ the binary.

It’s the same for Android, where I have registered as Developer for the Android wallet.
[EDIT]
For I found some information about code signing here.

A comparison of different certificate options are also available on that site.

Even the open source certificate costs $14, the Microsoft one $183

Of course we could go for self signed certificates. Then the popup window still would show, but the user could compare the fingerprint of the certificate with on we publish either in the forum or on the website.

wrapper

Thanks @Aciddude for compiling an update on all the work you’ve done researching binary signing.

The links and discussion will be useful for other developers with the same issues. We have serious issue of defining which is our release version, I see binary signing, and the way we allocate that, as essential for ongoing security of the core FTC wallet.

Gitian
I like the Gitian idea, we can use the Launchpad build to be the same as the OpenSuse build to prove our binaries. It’s another good reason to get the Ubuntu PPA / build on Launchpad set up.

Bitcoin security warning
https://bitcoin.org/en/alert/2016-08-17-binary-safety