Author: Cory Fields 2018-02-01 01:14:45
Published on: 2018-02-01T01:14:45+00:00
A new public key has been generated for Bitcoin Core releases starting with 0.16.0rc1 due to an error in the previously published key that was created for iPhone OS instead of macOS. The purpose of the new key is to sign future macOS releases, and it can be verified using openssl smime -verify -noverify -in msg.pem. This announcement apologizes for the confusion caused by the noise, and the previous email contains the original pubkey that is no longer valid.The content of both emails is related to the release of Bitcoin Core. Meanwhile, a Bitcoin Core developer named Peter Todd recently discussed how OpenTimestamps (OTS) provided little proof when verifying an important certificate in the Bitcoin software. While OTS extracted a timestamped proof of existence for the BitcoinFoundation_Apple_Cert.pem file within the repo, it failed to prove who had put it there. Todd explained that if someone could create a collision between the real certificate and one for which they had the private key, they could switch them at a later date. Furthermore, Todd found a security hole related to clearsigned PGP recently. He suggests using a detached signature or piping gpg --verify -o - to grep instead of separating verification from use of data.On the bitcoin-dev mailing list, someone made the statement “No! Because I do nothing wrong, I have nothing to show.” Unfortunately, the context of this statement is not clear from the limited information provided. The bitcoin-dev mailing list is used for discussions related to the development of Bitcoin and is hosted by the Linux Foundation.
Updated on: 2023-06-12T23:46:31.769309+00:00