Author: nullius 2018-01-12 10:14:11
Published on: 2018-01-12T10:14:11+00:00
In a Bitcoin-dev mailing list, Peter Todd described how to use the `-signer` option to write the signer's certificate to a file in OpenSSL, which can then be compared to the one from the repository. He also noted that OpenTimestamps has git integration and the OTS proof generated by it can attest data existed as of Oct 13, 2016 for the certificate from the repo. However, he questioned if the proof generated by those three commands are crypto snakeoil that proved little since there was no proof of who put it there. Moreover, with the breaking of SHA-1, some scenarios may play out involving two different PEMs with the same hash, but different public keys. In another post within the same thread, Todd discussed potential solutions using PGP like not using clearsigning, using a detached signature, or having shell scripts written by somebody who knows how to think about security.
Updated on: 2023-06-12T23:47:07.935740+00:00