Multibit Review - by BitReview - Find the Best Bitcoin ...

How trustworthy are the authors of Electrum and MultiBit ? Why are their signing keys not verified?

Hello,
I was a bit alarmed by these two posts some weeks ago:
http://www.reddit.com/Bitcoin/comments/210fgj/there_is_an_pgp_imposter_of_bitcoin_dev_gavin/
http://www.reddit.com/Bitcoin/comments/1tin7f/warning_a_fake_electrum_website_with_malware_is/
In the first case, basically somebody registered a PGP key which at first glance looked like the signing key from Gavin Andresen. Such a key could be used to sign malware which appears as the true bitcoin client. This would only be detected if people check carefully. If people do NOT check it - maybe rushing in a situation where the network needs a quick fix - the consequences could be truly disastrous.
In the second case, the Electrum website was actually faked to distribute malware which was camouflaged as the Electrum client. If people install such a client, it could send their bitcoins anywhere - this kind of attack can really cause a lot of grief, too.
Note that in some simple setups, it might be possible to recognize the faked web site by its address, but in other cases, this will not be possible - think of insidious attacks on home routers or exploits of the recent Apple "goto" bug, which essentially disables SSL protection.
In these cases, and whenever youinstall bitcoin software, it is always important to check for digital signatures of the maintainers, which can warrant the authenticity of the code. And, doing this properly includes verification of their keys.
To make it short, I was newly installing Electrum and I decided to do it right and to look after the digital signatures and whether the signatures properly certified in a web of trust. Now, trust paths can be looked up by databases like these:
http://pgp.cs.uu.nl/
It works so that in the "from" field, you enter YOUR key ID (which needs to be connected to the web of trust graph). In the "to" field, you enter the key ID of the signing key for the software. Now, you should be able to find at least one trust path from you to the signing key for the software. For example, if Mark Shuttleworth wants to verify the key of Gavin Andresen, he enters his key ID: D54F0847 into the "from" field, and Gavin's key - 1FC730C1 - into the "to" field. This will look as here:
http://pgp.cs.uu.nl/mk_path.cgi?FROM=D54F0847&TO=1FC730C1&PATHS=trust+paths
The trouble is, if Mark looks up the key for ThomasV, this looks so:
http://pgp.cs.uu.nl/mk_path.cgi?FROM=D54F0847&TO=7F9470E6&PATHS=trust+paths
that is currently, no trust paths to ThomasV's key are found. The same is true for Jim Burton, maintainer of Multibit.
In other words, ThomasV's key cannot be verified, if somebody does not has other means. Well, somebody could look into the bitcoin forum - but first, the forum can be and has been hacked. And second, a forum identity does not mean much. Pirateat40 had an account, too, as well as the owner of bitcoinica.
I do not suspect the developers of working in an evil plot, but honestly, I'd really like to know a bit more.
Now, I have a few questions:
Thanks!
Edit: A few developers have posted here... can other people confirm what they say? Can it be proven? Anyone was at that conference?
Edit: As an important clarification: The fact that a key can be found on a keyserver, is signed by some entity, or is contained in the "strong set" of the PGP web of trust or in any web of trust does not necessarily imply that the key is linked to an authentic identity, end even less that the owner is a good guy. It only provides a mean to check this identity and to support the assumption that the identity is correct, independent from hacking attempts.
And as a reply to some badly downvoted comment: Yes, knowing or probably knowing the identity of the auhtor of some code is by no means a substitute for skilled people carefully checking the code and any change in it.
submitted by DrunkRaven to Bitcoin [link] [comments]

Are we overlooking pgp verification of wallet installation files?

I am curious how many people use pgp to verify the new version of their favorite wallet software every time a new version comes out? To me it seems like pgp verification isn't taken very seriously. Most, but not all vendors will put out new pgp signature files with each new release however if you are relatively unaware of security this could mean you are unknowingly missing a very important step. Importing the authors pgp key, downloading the associated signature file and then verifying the executable isn't very obvious to those who aren't security savvy. However it is an obvious security hole and a potential honeypot for anyone looking for some easy coin. One thing I find disturbing is how few of the major wallet developers put any significant effort into educating their users on the first step of securing their hot wallet. Multibit and armory are the only two clients I know of that give any information on pgp verification, but even multibit misses this important step on their "How to install" page. Electrum doesn't even provide a signature file for their linux version instead providing a hyperlink with an md5 hash appended to it. Bitcoin-qt from what I can tell only provides sha256 hashes of their files with zero instruction on how to use them. To me it seems like the pgp step of securing a wallet is looked at as the boring minor tidbit that you have to have that nobody really wants to put time into resulting in most vendors throwing up some hashes/signatures with little to no information on how to use them. I think that all vendors should have a section with instructions on how to verify their software, put this as the second step in getting started with their software right after the download step and make sure to provide pgp signatures for each installer package and not just hashes. For me, not being a security expert, I feel much safer verifying a pgp signature vs checking that a hash matches. With bitcoins being targeted on a daily basis through incredibly creative means this seems to me like a giant gaping hole that could be fought with a very small amount of education. Just a thought.
Edit: because I suck at the grammar Edit: after digging around I found the electrum signature files for linux. There is no direct link to the page from their website but they can be found here: http://download.electrum.org/
submitted by bitmagi to Bitcoin [link] [comments]

GPG instructions and public key list for verifying Bitcoin clients.

I have noticed their is a growing problem of fake bitcoin clients, and I expect the frequency and elaboratness of these fake clients to increase.
Verifying the signatures for these clients will detect if you are receiving anything other than what the signer the of the software signed. The exception to this is if the attacker acquires the signer's private key, which should be a lot more difficult than tricking users to visit the wrong site or hacking servers. This can also be addressed by using multiple signatures per client.
An important part of this process is acquiring the public keys for the sofware signers in a secure manner.
To help with this I have included a signed list of fingerprints and where to acquire the public keys to act as another source to verify the keys used to sign bitcoin clients.
I have also included instructions for verifying the fingerprint list and bitcoin clients.
To deal with the issue that posts and comments on Reddit can be easily modified I suggest other users (especially well known ones) post a signature of the fingerprint list in a comment in this thread, or at least a hash of the fingerprint list (not as secure but still better than nothing).
List of Fingerprints:
+++ Bitcoin-Qt: Signer: Gavin Andresen (CODE SIGNING KEY) [email protected] Fingerprint: 2664 6D99 CBAE C9B8 1982 EF60 29D9 EE6B 1FC7 30C1 Key ID: 1FC730C1 Key Link: bitcoin.org/gavinandresen.asc
Electrum: Signer: ThomasV [email protected] Fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 Key ID: 7F9470E6 Keyserver: pool.sks-keyservers.net Signer: Animazing [email protected] Fingerprint: 9914 864D FC33 499C 6CA2 BEEA 2245 3004 6955 06FD Key ID: 695506FD Keyserver: pool.sks-keyservers.net
Multibit: Signer: Jim Burton (multibit.org developer) [email protected] Fingerprint: 299C 423C 672F 47F4 756A 6BA4 C197 2AED 79F7 C572 Key ID: 79F7C572 Keyserver: pgp.mit.edu
Armory: Signer: Alan C. Reiner (Offline Signing Key) [email protected] Fingerprint: 821F 1229 36BD D565 366A C36A 4AB1 6AEA 9883 2223 Key ID: 98832223 Keyserver: pgp.mit.edu +++
My Key:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.12 (GNU/Linux) mQINBFLB9nUBEAC/klZvqQkWP/NUD0pT09PzhKh0xIQ0XM7MxqUZLa1OytF3iUCX /fNwQD5OnSFQoEg1O4bGzrrRb+PiuKCvH19dp7sFVj3q7Dhwfb6EvsX39xqzxCr6 2AQFQ3esz4nNodnQWa48t2ujihaf/vpTn6n7+jCl6a124r+U4wNGiNIEWxLLUNNb ec8S1RcjtTp6Ue/yRpThgJN9e4rj19+vJMqKCiqL03NBZWVoCEkL6iIdjwlQK8/r CpP9m5yAsc8wkelRkZvuLmjJ1GgSFrO0WteGnURMshy59LetaSRyiIDeHaPdV5rk /n3mBv8hsK/39O6H7fYWDx/ZLnZE4rMghcndexIFLhsuPx6FJNATqQ2gHT4ijb8K NlwZ0LatlXyUEMKfC1aroa3/9RkQSf0y0GKS0XrvUWGVRn/X7gk1DRhuaHWuacCf k3w0XZOA2WpWw1w/rjZSeHbKG1w4B2/kWH3K4sXsfcLltlY85zH03HUYSx+leMFc yxiHz60ZfuV2aGjYFPL8dzF6DS106lHz51j608OZkAEO8Xssincii1k/PR1h1y2P AqgrEADzgl52iBbNw+tdnxSAIy/asEyxU/VwkUFjOzSyP7ZmBxg8ss966w2Kl6WE o9R5tkVuUG8WTMTnF0FeMxO9YOqx4KhN9bhP7RjBL7BFTvRXYVVJUGabIQARAQAB tBVkY2M0ZSA8ZGNjNGVAZ214LmNvbT6JAj4EEwECACgFAlLB9nUCGwMFCQlmAYAG CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECO6L0dAOWOhsNIQAKUN9Z4e0hM3 DbaUjYJx93JGdJArLmz+Ko10N/lGcao4lCNVA+xM73Ga1GBnPlhPFW9iD2VQocOv tY2PYNsPrHgGlzyMKAMSpZ8364wVEyCHdJVKFORUjhyuJGYfyhDt2iZuzQwxWbmQ 1gmlbiGvxRysmaSW5+M8CDhja/fI8+EOp5NbH/EvHJClul3cO72UBUXBPxRv4Eb+ j8k0Uozob70A3bD894F8bJ9wZ3XBX/9DEkAbvDyW7CxIZwUiCeYTQylH++8S91A1 wL3z35ELdOLzGqwetYY6gSZRwY/W+rewEfPfBDSRjXKOBfhraMBYV1Sdg0IUj10W 2XVAzkqmqaej0T/xTt6aNjFtiH1u18BUpYIcCAAZ6TJ7325bnqnI+0xWFdonyggL +AIX1nzhx5niw8ZkCX0/jlJAx3TXAuxX/Tfy7cVSVi33v0fiwoDb8ZIDBzg0P2uc PUpR13B3AevFpxuAuAFPWfTDOJQmZyn9YNswVOhNb9rfq5bkmaSBlMRefTtUKIjW XjrRhSULPJ73H+R1DNL1Y0vhclnkOVCFRB+VPChkO+6RitGQDTg/Z60fBHpnYiDz sysnsoojLwBGanHO5mZMprxADc9CmeRGRmfHwvx7eJvW1HqN+5JR3Ai+JDlT+IxX RNUQxUbOry4D8TwRn9nBEtumNyNQcBmUuQINBFLB9nUBEACyRFYCrOXxC8yWm92U qPPNa3YC+W17O4rHW/thKTze1/TeZAKTNaIMPCS7iSVBBRbuijG+8NsgFd6W9acC ihMD4VUdFhVPjRGM3HmqzsxudVI4kGlQl8w86pYZu8ceGB4LQcoUFbPmWgXDIszH NV7kIFO/2oCRJ7VIBllUMP97RRdIfDND7EZMWvDveZ40BZCBLfnD9f6VSs4Lgn2C ow/ko01ijnvUxA/BGPJKI7JTLJHbdL//RQwT3AacLSc/etIurY2Ef926XbYYI1gi qboCU/dYUkGG2D+BDcGdukwpksdZZSXPyNhkZQAPPViHuFFtHI3C+FNb5L+lnC0h /dfF73U1lN3jp/VX11U1tIsHJyPjs8aael2UJO7Qy3vgVRM6KOywNNjVRv79Z/rF YHkNzBwXrGKdwV16SdRWjgkzkB4JeNQME096SqrwAEj/j5fwMqHjR8dKqWKDT6s9 V2Z83go3n9kI8JWFh33OksBh/qpKghhwtGWrUsbVcEDOVmUn2ozXvARDzqnNw3DN PcQvzUtasD8hxGHo7fW4TczdtgS3b/DfU2VJo68Fmo1C4eqYX+Ixx05khFCtP7d0 POqX6jIIQqZq8NTea8/M8Xx1YGhR5RpA4vZe7bCLgD2VUXHL43Npmq2nuZ0/7AwY H0hc/y/T+SU70xn28XyWHHLkCwARAQABiQIlBBgBAgAPBQJSwfZ1AhsMBQkJZgGA AAoJECO6L0dAOWOhIcgP/ioKYiJFAsolS4ep1PenCPvQFjvZTq4xJnsubEJ/ERU8 zdgET0Rh5jcCLqRAxQbGW3lVsewR3N+S9Rt3zHApqfZBFg5XJkZxsk0u+0qGPHWA 4oC7U3E4ZwMfVzUDcfKrzD1h0JaiSW1+1qgCh9/YVCUYakR1n/9LgzPP8ekQLTeb nWE+ZQQfeTDgoTNFWZvUlEbh4zcHLvcay78PnK3uT3UbWPyltSxon/eD47s1dt03 P/8nqaXCZhhRZ9N3EbJyudLBgA3ctySSJJSKKQHYynH5qUQqKp4Wq1KY80161xvW FqKwN/Jr4tTpRVZPu8P82cxhwrWJdf1U3/M2F2aIgXbGS4fHbzsLZ+6zZ3AuT4D8 auW55GOrnoF9XzZV6IavtluILUXMjVzF13slo5PKzS8yyJRNxE22krbeEyUum4Zu dDiERxIB6B+RDMM9qvV9svGJoEXG+4ugwkA3R7a6LWApmkvH3eXpULfDN2g5eNcr 5efFMrI/myxmpsP3nUp5EZFJyp8+ZSzIMJ1jSzXH8mHajIGTG49xDyZGpbog3wd2 7aQf5D9WOuKfYZM9MU9PBF+ZgtNrAxWuYJcCOr4WEd/2IjayMWvLxNA/RVW66oVj puaaDc3m3hXg1fwUWv9ZJyMUv7NARLgig3KEMVZiVzos7ZMn9mZNrOk2fnkKpVJB =ufyu -----END PGP PUBLIC KEY BLOCK----- 
Signature for fingerprint list:
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.12 (GNU/Linux) owGFk31QFGUcx48XIU/KU0YSZOhHToraHeze3u4tqd2+HZ6g4ks6ZBTLsXdud7eH ewtCV4mp4/hGKmlTQbyEkgoZxpg6kReML0RWaoohOWWN0mhK4WSZje0Zxw0zzfTP 7rPf5zfP7/N8nn22PRyliYyYfDQ9y0La6yNaotYW6hyi5BTkYlmUFJ9BKVMWdZyu mDFjhpYWFbtXlPQLlUztYtEpCXImZPGlogSUVCQLPkGCNGYBy8FiW9Z82/wsyOby poEzWMEPFVicHl50G+xeD1jDXTIBxXEMcJYkgaEpDhiSNgNCmlHgrHgGoCRLAsfh NCBWhgBjBoNos4VysLGZD5LhIEeUXJlQ+C+nwSs700d0N/A+u5ZzC3ZFLvGE97Bk hdfD+5aC8uBdiqiQZYYiQTuCEMdJDFizujuC5swqjQkHI0JzwJImlZBmTWBGMRoI q1pHZHD4MGEwCQU+QS4Ntiz2et0Gn8und4Uyn0ESlGEkShI9/Etqf5jJh4Zhd7NH opEkgoEZx1iwMkYjYCTJAM5QKADNcRSgKGZSnWWogkmTCTJwKzvMFkxCwf+xzStx K6LqNixurugBukRWvOrBe4Zmg9ahSCgV3N5iQZ4GL4oeHDFbHLxPGcI3lLhG8qNB YAw1qtQEagWMsKoGTTgFOE1hwCAkASjFsUCQVgIYE4GG1apJKBjGdxYbPCqHUFSi pWSPVy4PA1NuXgLGAIsEUf2GtAUOh1sdQXA+KFtdZhrwapFl6B/iHywQdD4S2Ywi VkBQlAQjTrPAmnBVMa4iM0b1gVE0AjiluifNZqN6AKhxGDmYhIL/Qg5etI2RydGa iEhNzKjI4N3TaEfrQjf0brJOs692U9vbzb2jMs51uP1Jl/6KXf7NoTEHolxXvvRf SjzbEylrjFvH1jXefbJxd9/tK8u8SVdLC9yv5N88N/v1Cyu7N1deXDPJMeVs8obj b9zvtW84sv9OWeJJ8tXyPX2/N+zqGn+ZnxCdGz++QXqzYGzthSRE7JJaflRu4/01 jqsFuat62ifvHujc8ZhupW1P59OBjoMtgz+crx08mdN/sDkwtUmfLecN2Hb8duuz Lxq6Aztjz3RsWV1d3TJBc4D86cbfuqjvn0iJemqvfk1/ToHQFZhtWrT555eZwh45 +vNj/jX7Fubnd/3adNxf+EhF7sWmMX+Q184dSvygFdFXBF6b2m1KjLvnoKanzEp0 2cWqgX7L2biU8/2xt5LudZ4g4pawCZVpv6T7q1JfaN9Q1xFxP2Z55fiPuo7tvXdd v6m3vrLt+Tk12bGzDn/rr8+puxl4vLsqrnPKmPg51xUZo+tiXKuf2XZ44DLd8t7N weL21tONnY2jKy+MSzi1/1o8sWrQPPPTd1tteW/tTct6fyO2NNWUJ6wT6mPWx9fz 31ml53QTe75a+2HbumVuvZCcC33V0/fFpM07wkRYUh9a0LxzK6mrOuqYChWT6u4M oGkJS2vmNkWdmdWcP5le4ulLbr+Ws+IysX37OyfSt4y70St8vLov9dE/k3Y1zNy4 SyrY/fWzvRMLP8mNrjh1eFvtznXt/wA= =5zDz -----END PGP MESSAGE----- 
Hashes for fingerprint list:
SHA-256: 7A6B9841 355B1127 E5639A9D 7040D81C F395D382 884376C2 31829C63 6FCF1B80
SHA-512: 04A49A60 A1645479 ED0B3CE9 AE32E156 E9768CC2 0D4EF393 814162BE BFA6FAF5 6C520769 C654467F 6B61EBD4 4A5A5C93 9DF81B7D AA468A50 2DD7FFF3 F637A49C
Verifying the fingerprint list:
Save fingerprint list, from the first plus to the last plus, to a text file called fingerprints.txt
Next save my key to a file called dcc4e.asc and my signature to a file called fingerprints.txt.asc
In terminal or command line run:
gpg --import dcc4e.asc gpg --verify fingerprints.txt.asc 
You should see:
Good signature from "dcc4e " 
GPG examples for verifying Bitcoin clients:
Verifying Bitcoin-Qt:
First download, import and check Gavin's key:
Download his key at bitcoin.org/gavinandresen.asc
In terminal or command line run:
gpg --import gavinandresen.asc gpg --fingerprint 
Check that the fingerprint for Gavin's key matches 01CD F462 7A3B 88AA E4A5 71C8 7588 242F BE38 D3A8.
Then download the wallet software and signature.
Verify the signature:
gpg --verify SHA256SUMS.asc 
You should see:
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) " 
The signature for Bitcoin-Qt signs the hash values. So we must compute the hash of the specific downloaded software manually. This example is using the linux version.
gpg --print-md SHA256 bitcoin-0.8.6-linux.tar.gz 
Check that the output matches the associated hash value in SHA256SUMS.asc
Verifying Electrum:
First download, import and check ThomasV's key:
This key can be found at a keyserver.
gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6 gpg --fingerprint 
Check the fingerprint.
Download Electrum and the signature.
Verify the signature:
gpg --verify Electrum-1.9.6.zip.asc 
You should see:
gpg: Good signature from "ThomasV " 
For this example you do not need to manually compute any hash values because the signature is signing the downloaded file directly instead of signing a list of hashes.
submitted by dcc4e to Bitcoin [link] [comments]

BitPay Announces Copay, a Multi-Signature Bitcoin Wallet Multibit wallet download Bitcoin: Client-QT Wallet Update Version 0.11.0 bitcoin wallet - bitcoin for beginners - learn how to mine ... How To Use Bitcoin Multi-Signature with CoPay

A Guide to Bitcoin (Part II): A deep dive into the Bitcoin ecosystem (Editors note: This is a four-post series on Bitcoin. This second post will attempt to shed light on the Bitcoin ecosystem and how the crypto-currency is powering new kinds of businesses. For more information on the basics of Bitcoin, check the first . trending; Bitcoin Thin Client Bitcoin . Bitcoin Thin Client . Mar 27, 2018 ... Other advantages that MultiBit has over the native bitcoin client is the ability to open multiple wallets simultaneously (HD support). Plus, MultiBit offers official support for 40+ languages – something we don’t see with other wallets. Two of the drawbacks of MultiBit are its lack of two factor authentication support and its lack of multi-signature support. However, the wallet remains ... MultiBit is a simple Bitcoin wallet for Windows, MacOS and Linux based on BitcoinJ.Its main advantages over original Bitcoin client are the option of using multiple wallets at once and the lack of need to download several-gigabyte Blockchain (16.5GB as of April 2014).The project was founded by english developer Jim Burton. I’m trying to download Multibit from https://multibit.org/community.html the Win 64 version. it consistently gives a ‘The signature of multibit-0.5.18-windows ... MultiBit is the bitcoin wallet for your desktop. It currently works with Windows, OSX, and Linux. MultiBit is designed to connect directly to the Bitcoin peer-to-peer network.

[index] [8108] [15831] [5982] [4625] [51475] [46509] [31008] [4771] [40861] [23600]

BitPay Announces Copay, a Multi-Signature Bitcoin Wallet

Hello everyone, just a quick video about the details around the newest bitcoin core QT wallet version and why you should update. Forum Post: https://bitcoint... MultiBit, Java Bitcoin client - Duration: 2:22. Yu-Jie Lin Recommended for you. 2:22. Bobby Owsinski - Improve the Sound of Your Room - Duration: 1:50:09. ... Easy Bitcoin Electrum Wallet/Client tutorial for beginners. 2014. - Duration: 14:10. ... Download the Multibit.org Bitcoin Wallet (subtítulos en español) - Duration: 5:35. Coin4ce.com ... BitPay's Executive Chairman Tony Gallippi does a Multi-Signature transaction using our own Copay Wallet live at CES 2015. In this demo, Tony does a 2-of-2 transaction using a Windows Phone and an ... Today I check out how to use a multi signature wallet via the CoPay platform. Tip Address: 1CwYp77iDHy2XFoV1LLEeJA3t8ynF5ZzAd Bitpay Wallet Tutorial: https:/...

#