Fake PGP key for Gavin [combined summary]

• Fake PGP key for Gavin The Doctor 2014-03-24 19:44:24+00:00
• Fake PGP key for Gavin Troy Benjegerdes 2014-03-23 22:12:21+00:00
• Fake PGP key for Gavin Oliver Egginger 2014-03-23 00:59:50+00:00
• Fake PGP key for Gavin Peter Todd 2014-03-22 18:21:53+00:00
• Fake PGP key for Gavin Gavin Andresen 2014-03-22 17:33:02+00:00
• Fake PGP key for Gavin Mike Hearn 2014-03-22 17:03:03+00:00

Published on: 2014-03-24T19:44:24+00:00

Summary:

On March 22, 2014, a warning was issued regarding the creation of fake PGP keys to sign popular crypto software. This practice could potentially be used to make a MITM attack appear more legitimate, possibly by an intelligence agency. Users were advised to exercise caution and ensure they are using the correct key when verifying Bitcoin downloads. It was suggested that these fake PGP keys may be the result of corporate industrial espionage or organized crime outfits, rather than intelligence agencies. The latter would likely use compromised X509, network cards, or binary code blobs instead. It was further noted that it is unlikely for an intelligence agency to have an interest in Bitcoin, as they can easily intercept ASIC miners.In response to the difficulty in finding keys initially, a user created a documentation site, which is now outdated. However, Gavin Andresen's GPG key can be found through a Google search. Despite this, users expressed gratitude for any signing that has been done and took the responsibility to verify it themselves.The blog post also mentioned the importance of checking if the correct key is being used when using PGP to verify Bitcoin downloads. It emphasized that Bitcoin source and binary downloads are protected by both the PGP Web of Trust (WoT) and the certificate authority PKI system. The binaries are hosted on bitcoin.org, which is https and protected by the PKI system, while the source code is hosted on GitHub, again, https protected. To execute a MITM attack, the PKI system would need to be compromised, assuming users do not download over http.Additionally, there was a discussion about whether the Windows binaries should be codesigned. It was confirmed that the -setup.exe installers are Authenticode signed, also known as Microsoft code-signing. It was suggested that signing the Windows binaries would be a good idea, as antivirus scanners learn key reputations to reduce false positives. However, Linux does not support X.509 code signing, so extra signing would not be possible in that case.Overall, the warning about fake PGP keys highlights the need for users to be vigilant and verify the authenticity of their downloads.

Updated on: 2023-08-01T08:01:05.706584+00:00