Author: Jeremy Spilman 2014-01-01 10:02:02
Published on: 2014-01-01T10:02:02+00:00
The writer of the given context looked into gitian and noticed that hashes people were signing do not match the hash of the file actually hosted by Sourceforge. However, after talking to BlueMatt and maaku on IRC, it was clarified that the difference is due to Gavin Authenticode signing the executable for Windows. The writer found a Python script named Disitool which can strip the signature, but the hashes still don't match. After building his own gitian build of 0.8.6, he found that there are only two differences between the stripped .exe from SourceForge and the gitian build, which are three bytes specified at offset D8 and an extra byte '00' at the end. The writer suggests patching the signature onto the gitian build or stripping the signature off of the Gavin-signed build to match with the official distro for Windows. The writer thinks that wallet users want to know when an upgrade is available and have the ability to click an update button to get a binary they can trust. Finally, Matt Corallo suggested using gitian-downloader, a system for secure updating, and making actual gitian releases so anyone can use it to verify signatures of downloads.
Updated on: 2023-06-07T22:07:48.235808+00:00