Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Technical Support
Re: Avast quarantined Bitcoin-QT.exe 0.13.0 binary
by
mertliti
on 25/08/2016, 02:07:11 UTC
Thanks. I'm getting concerned though...
On this page, there is a message posted and signed by Wladimir:

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009045.html

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:

    pub   4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key)
    Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

For gitian and commit signing I will keep using this key.

Wladimir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJViphCAAoJEHSBCwEjRsmmtRoIALBzJMGXzoj5t9OQSedxjnjP
sxfHuBwQxeuPYXbRlMjY5UZhmabbt0/mLRfVSdscnCzp0YxbMRwD7I6MdHqXyBtd
oS+TUfMNir5lk7Ti2hRStgvxqsAbHUJ08LlqpJXV5dq3QgeJyJwZM76a6yyaGwxP
SwqvKklQZ/qdrKOgjjn6d5HywgsmybJSDzEDR3k+ogkLsfM1jcpqZhwFeRVpk94m
SgZGLLx5zAIKcLHn4I1FaZ+OAmmS0ukYcmotMOUk6NBEjHTDfjEFBrbrlwvL4G7r
kjd1mRxkaJMxX3nJicXiEQClVoeUrMVyJrrsTGyPixSicdQbItuyLWXm37fAfE0=
=4v49
-----END PGP SIGNATURE-----


For some reason, when I try to verify this message with PGP (Symantec Encryption Desktop 10.3.0), using the same key, I signed **years** ago in my PGP keyring, and that still shows as verified, I am getting a mismatch:

Code:
*** PGP SIGNATURE VERIFICATION ***
*** Status:   Bad Signature
*** Alert:    Signature did not verify. Message has been altered.
*** Signer:   Wladimir J. van der Laan (0x2346C9A6)
*** Signed:   6/24/2015 1:45:06 PM
*** Verified: 8/25/2016 4:03:21 AM
*** BEGIN PGP VERIFIED MESSAGE ***

Hello,

Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:

    pub   4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key)
    Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

For gitian and commit signing I will keep using this key.

Wladimir

*** END PGP VERIFIED MESSAGE ***

The key signature matches! Is there some possible incompatibility between PGP and GPG? Some whitespace / line endings mismatch?
Given, that "state-sponsored" attackers are suspected to be a risk, I'm starting to get paranoid now!!! This is the first time I think I've ever seen verifications fail.

Can anyone else verify the signature on that message with Wladimir's key?