Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: [ANN][DASH] Dash (dash.org) | First Self-Funding Self-Governing Crypto Currency
by
qwizzie
on 20/11/2019, 22:06:21 UTC
Quote from: UdjinM6 on November 20, 2019, 08:28:52 PM
Quote from: qwizzie on November 20, 2019, 09:15:22 AM
Quote from: buzzkillb on November 20, 2019, 04:16:00 AM
I like to use 7zip and right click the file to verify the hash checksum when using windows. Looks like a bunch of coins are getting infected wallets switched in lately. That hash file should be posted in multiple places, as this happened on Linux Mint at some point and the hashes were also compromised on the website.

I agree that hash files should be stored on a separate server, and not on the normal download server (to avoid getting compromised too in case of a hack).
Also I like to point out that Dash also offer both it's binaries and the SHA256SUMS.asc (hash file) on Github .

Link : https://github.com/dashpay/dash/releases (see assets)

I understand there are also ways to verify hash files themselves, by checking who pgp signed them and compare that with developers that have signature rights.
Maybe someone from Dash Core Group can comment on the above ?

I guess we have to wait and see how Monero's official site got compromised in the first place and then check if our own security measurements are still sufficient.
Good to hear that 7zip also has a hash verification tool inside.

Each binary file has a corresponding signature (.asc) file, SHA256SUMS.asc is a signed list of hashes for all files. Corresponding dev keys to check these signatures can be found on github (the easiest way to verify keys - check the modification/commit date to make sure they were not altered recently) and on keybase. Keys on both resources should match (it's highly unlikely that they would be compromised in both places).

Thank you UdjinM6.

I found the following so far :

Verification of SHA256SUMS.asc --> Just copy and paste all of the text of this hash file into : https://keybase.io/verify --> this will provide a name
Verification of Github binaries --> https://github.com/dashpay/dash/tags (press green verified signature button next to v0.14.0.3) --> this will also provide a name

Both names match and point to a specific Dash Core Developer.

Which means we have three points of verification :

- verify the downloaded binaries hash (downloaded either from Dash.org or from Github) with the Hash File (also available on 2 locations), to see if they match with regards to the hash --> Hash Verification
- verify who issued the SHA256SUMS.asc / Hash File through Keybase --> Dev ID verification
- verify who issued the binaries on Github --> Dev ID verification

To UdjinM6 :

Quote
Each binary file has a corresponding signature (.asc) file, SHA256SUMS.asc is a signed list of hashes for all files.
it looks like most Hash Files are SHA256SUMS.asc files, i'm not seeing any individual .asc files for individual binaries. I guess it saves time this way.