public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

* [Bitcoin-development] Signing release binaries
@ 2012-07-29 10:17 Mike Hearn
  2012-07-29 12:20 ` Peter Vessenes
  2012-07-29 17:15 ` Luke-Jr
  0 siblings, 2 replies; 5+ messages in thread
From: Mike Hearn @ 2012-07-29 10:17 UTC (permalink / raw)
  To: Bitcoin Dev

MacOS X 10.8 makes application signing borderline mandatory, in that
you cannot run unsigned apps unless you tweak your settings via the
control panel. You must sign with a certificate issued by Apple via
their "identified developer" program.

Windows allows but does not require signing. However, anti-virus
systems tend to use signers with good reputation as a whitelisting
signal. Signing Bitcoin releases makes sense because it may lead to,
at minimum, higher performance if AV engines ignore file reads/writes
by Bitcoin. And it can also shield us from false positives. You only
need to see the mess that the mining tools world has become to
understand why this is important.

As I don't take part in the release process, I can't help out with
this directly, but I believe it's important and would be willing to
throw some money in towards buying the signing certs for both
platforms. I guess Gavin would be the final signer.



^ permalink raw reply	[flat|nested] 5+ messages in thread

• * Re: [Bitcoin-development] Signing release binaries
    2012-07-29 10:17 [Bitcoin-development] Signing release binaries Mike Hearn
  @ 2012-07-29 12:20 ` Peter Vessenes
    2012-07-29 17:15 ` Luke-Jr
    1 sibling, 0 replies; 5+ messages in thread
  From: Peter Vessenes @ 2012-07-29 12:20 UTC (permalink / raw)
    To: Mike Hearn; +Cc: Bitcoin Dev
  
  This is a good idea. I think I can come up with the cash, I will
  follow up with gavin.
  
  Sent from my smartphone!
  
  On Jul 29, 2012, at 7:18 PM, Mike Hearn <mike@plan99•net> wrote:
  
  > MacOS X 10.8 makes application signing borderline mandatory, in that
  > you cannot run unsigned apps unless you tweak your settings via the
  > control panel. You must sign with a certificate issued by Apple via
  > their "identified developer" program.
  >
  > Windows allows but does not require signing. However, anti-virus
  > systems tend to use signers with good reputation as a whitelisting
  > signal. Signing Bitcoin releases makes sense because it may lead to,
  > at minimum, higher performance if AV engines ignore file reads/writes
  > by Bitcoin. And it can also shield us from false positives. You only
  > need to see the mess that the mining tools world has become to
  > understand why this is important.
  >
  > As I don't take part in the release process, I can't help out with
  > this directly, but I believe it's important and would be willing to
  > throw some money in towards buying the signing certs for both
  > platforms. I guess Gavin would be the final signer.
  >
  > ------------------------------------------------------------------------------
  > Live Security Virtual Conference
  > Exclusive live event will cover all the ways today's security and
  > threat landscape has changed and how IT managers can respond. Discussions
  > will include endpoint security, mobile security and the latest in malware
  > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
  > _______________________________________________
  > Bitcoin-development mailing list
  > Bitcoin-development@lists•sourceforge.net
  > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
  
  
  
  ^ permalink raw reply	[flat|nested] 5+ messages in thread

• * Re: [Bitcoin-development] Signing release binaries
    2012-07-29 10:17 [Bitcoin-development] Signing release binaries Mike Hearn
    2012-07-29 12:20 ` Peter Vessenes
  @ 2012-07-29 17:15 ` Luke-Jr
    2012-07-30  2:29   ` Cameron Garnham
    1 sibling, 1 reply; 5+ messages in thread
  From: Luke-Jr @ 2012-07-29 17:15 UTC (permalink / raw)
    To: bitcoin-development
  
  On Sunday, July 29, 2012 10:17:51 AM Mike Hearn wrote:
  > I guess Gavin would be the final signer.
  
  Considering that Gavin is not interested in participating in any way in the 
  stable versions, I would prefer to see someone else responsible for OS-vendor 
  signing.
  
  
  
  
  ^ permalink raw reply	[flat|nested] 5+ messages in thread

• • * Re: [Bitcoin-development] Signing release binaries
      2012-07-29 17:15 ` Luke-Jr
    @ 2012-07-30  2:29   ` Cameron Garnham
      2012-07-30 13:02     ` Peter Pauly
      0 siblings, 1 reply; 5+ messages in thread
    From: Cameron Garnham @ 2012-07-30  2:29 UTC (permalink / raw)
      To: bitcoin-development
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    I'm not a vendor, however I have a code-signing key for windows; I could
    sign the windows installer and binary.
    
    On 30/07/2012 3:15 AM, Luke-Jr wrote:
    > On Sunday, July 29, 2012 10:17:51 AM Mike Hearn wrote:
    >> I guess Gavin would be the final signer.
    > 
    > Considering that Gavin is not interested in participating in any way in the 
    > stable versions, I would prefer to see someone else responsible for OS-vendor 
    > signing.
    > 
    > 
    > ------------------------------------------------------------------------------
    > Live Security Virtual Conference
    > Exclusive live event will cover all the ways today's security and 
    > threat landscape has changed and how IT managers can respond. Discussions 
    > will include endpoint security, mobile security and the latest in malware 
    > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
    > _______________________________________________
    > Bitcoin-development mailing list
    > Bitcoin-development@lists•sourceforge.net
    > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
    > 
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.19 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
    
    iF4EAREIAAYFAlAV8ZYACgkQBJ8cMDO159ZNVgD+KsQUlNcTDSmTGaHvLbAw0Cxy
    OCDfnsFbaiLoX2xWP3MBAOnN/QvcYY8f2WzMfI+N1PfnydRYGxlkA2JZ2Nrtnxcv
    =qeUe
    -----END PGP SIGNATURE-----
    
    
    
    ^ permalink raw reply	[flat|nested] 5+ messages in thread

  • • * Re: [Bitcoin-development] Signing release binaries
        2012-07-30  2:29   ` Cameron Garnham
      @ 2012-07-30 13:02     ` Peter Pauly
        0 siblings, 0 replies; 5+ messages in thread
      From: Peter Pauly @ 2012-07-30 13:02 UTC (permalink / raw)
        To: Cameron Garnham; +Cc: bitcoin-development
      
      [-- Attachment #1: Type: text/plain, Size: 358 bytes --]
      
      I'd like to see the binaries signed with gpg, independent of any signatures
      required for various operating systems.
      
      I can't imagine a worse scenario than the bitcoin.org site being hacked and
      the binaries replaced with wallet-stealing code. All of the developers seem
      to have gpg keys, how hard can it be to provide a detached gpg signature
      for the binary?
      
      [-- Attachment #2: Type: text/html, Size: 448 bytes --]
      
      ^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2012-07-30 13:02 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-29 10:17 [Bitcoin-development] Signing release binaries Mike Hearn
2012-07-29 12:20 ` Peter Vessenes
2012-07-29 17:15 ` Luke-Jr
2012-07-30  2:29   ` Cameron Garnham
2012-07-30 13:02     ` Peter Pauly

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox