Gavin Andresen
12 years ago
5 changed files with 199 additions and 29 deletions
@ -0,0 +1,37 @@ |
|||||||
|
Bag Attributes |
||||||
|
friendlyName: Developer ID Application: BITCOIN FOUNDATION, INC., THE |
||||||
|
localKeyID: 6B 9C 6C A8 A5 73 70 70 E2 57 A3 49 D8 62 FB 97 C7 A5 5D 5E |
||||||
|
subject=/UID=PBV4GLS9J4/CN=Developer ID Application: BITCOIN FOUNDATION, INC., THE/OU=PBV4GLS9J4/O=BITCOIN FOUNDATION, INC., THE/C=US |
||||||
|
issuer=/CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US |
||||||
|
-----BEGIN CERTIFICATE----- |
||||||
|
MIIFhzCCBG+gAwIBAgIIJ0r1rumyfZAwDQYJKoZIhvcNAQELBQAweTEtMCsGA1UE |
||||||
|
AwwkRGV2ZWxvcGVyIElEIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSYwJAYDVQQL |
||||||
|
DB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUg |
||||||
|
SW5jLjELMAkGA1UEBhMCVVMwHhcNMTMwMTEwMjIzOTAxWhcNMTgwMTExMjIzOTAx |
||||||
|
WjCBqDEaMBgGCgmSJomT8ixkAQEMClBCVjRHTFM5SjQxQDA+BgNVBAMMN0RldmVs |
||||||
|
b3BlciBJRCBBcHBsaWNhdGlvbjogQklUQ09JTiBGT1VOREFUSU9OLCBJTkMuLCBU |
||||||
|
SEUxEzARBgNVBAsMClBCVjRHTFM5SjQxJjAkBgNVBAoMHUJJVENPSU4gRk9VTkRB |
||||||
|
VElPTiwgSU5DLiwgVEhFMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQAD |
||||||
|
ggEPADCCAQoCggEBALTd5zURuZVoJviusr119aktXksenb9IN9vq6kBbq38vxEk7 |
||||||
|
9wkKMES2XfBRh0HxcEizGzhMNy5OCXuTLMaNMihYdfwYSoBoR2foEU+6kjPUnyJ4 |
||||||
|
dQBFLJZJr5/QeQmALmYHEgZ6lwXFD2lU8t92340zeJ4y5LZw5pcEHtH9IummYDut |
||||||
|
OGCkCGXDcjL+5nHhNScJiXHhswM+62o6XXsQiP6EWbM1CsgrGTNLtaa0U/UvVDwE |
||||||
|
79YKklSC5Bog2LD0jBcTuveI66mFzqu++L9X9u+ZArtebwCl7BPNQ+uboYy5uV2d |
||||||
|
zf8lpNNZLfXCFjoLe9bLICKfZ7ub9V5aC8+GhckCAwEAAaOCAeEwggHdMD4GCCsG |
||||||
|
AQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuYXBwbGUuY29tL29j |
||||||
|
c3AtZGV2aWQwMTAdBgNVHQ4EFgQUa5xsqKVzcHDiV6NJ2GL7l8elXV4wDAYDVR0T |
||||||
|
AQH/BAIwADAfBgNVHSMEGDAWgBRXF+2iz9x8mKEQ4Py+hy0s8uMXVDCCAQ4GA1Ud |
||||||
|
IASCAQUwggEBMIH+BgkqhkiG92NkBQEwgfAwKAYIKwYBBQUHAgEWHGh0dHA6Ly93 |
||||||
|
d3cuYXBwbGUuY29tL2FwcGxlY2EwgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ug |
||||||
|
b24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRh |
||||||
|
bmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNv |
||||||
|
bmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmlj |
||||||
|
YXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wDgYDVR0PAQH/BAQDAgeAMBYGA1Ud |
||||||
|
JQEB/wQMMAoGCCsGAQUFBwMDMBMGCiqGSIb3Y2QGAQ0BAf8EAgUAMA0GCSqGSIb3 |
||||||
|
DQEBCwUAA4IBAQAfJ0BjID/1dS2aEeVyhAzPzCBjG8vm0gDf+/qfwRn3+yWeL9vS |
||||||
|
nMdbilwM48IyQWTagjGGcojbsAd/vE4N7NhQyHInoCllNoeor1I5xx+blTaGRBK+ |
||||||
|
dDhJbbdlGCjsLnH/BczGZi5fyEJds9lUIrp1hJidRcUKO76qb/9gc6qNZpl1vH5k |
||||||
|
lDUuJYt7YhAs+L6rTXDyqcK9maeQr0gaOPsRRAQLLwiQCorPeMTUNsbVMdMwZYJs |
||||||
|
R+PxiAnk+nyi7rfiFvPoASAYUuI6OzYL/Fa6QU4/gYyPgic944QYVkaQBnc0vEP1 |
||||||
|
nXq6LGKwgVGcqJnkr/E2kui5gJoV5C3qll3e |
||||||
|
-----END CERTIFICATE----- |
@ -0,0 +1,37 @@ |
|||||||
|
Bag Attributes |
||||||
|
friendlyName: The Bitcoin Foundation, Inc.'s COMODO CA Limited ID |
||||||
|
localKeyID: 8C 94 64 E3 B5 B0 41 89 5B 89 B0 57 CC 74 B9 44 E5 B2 92 66 |
||||||
|
subject=/C=US/postalCode=98104-1444/ST=WA/L=Seattle/street=Suite 300/street=71 Columbia St/O=The Bitcoin Foundation, Inc./CN=The Bitcoin Foundation, Inc. |
||||||
|
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2 |
||||||
|
-----BEGIN CERTIFICATE----- |
||||||
|
MIIFeDCCBGCgAwIBAgIRAJVYMd+waOER7lUqtiz3M2IwDQYJKoZIhvcNAQEFBQAw |
||||||
|
ezELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G |
||||||
|
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxITAfBgNV |
||||||
|
BAMTGENPTU9ETyBDb2RlIFNpZ25pbmcgQ0EgMjAeFw0xMzAxMTYwMDAwMDBaFw0x |
||||||
|
NDAxMTYyMzU5NTlaMIG8MQswCQYDVQQGEwJVUzETMBEGA1UEEQwKOTgxMDQtMTQ0 |
||||||
|
NDELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUxEjAQBgNVBAkMCVN1aXRl |
||||||
|
IDMwMDEXMBUGA1UECQwONzEgQ29sdW1iaWEgU3QxJTAjBgNVBAoMHFRoZSBCaXRj |
||||||
|
b2luIEZvdW5kYXRpb24sIEluYy4xJTAjBgNVBAMMHFRoZSBCaXRjb2luIEZvdW5k |
||||||
|
YXRpb24sIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChUwLD |
||||||
|
u/hu5aFZ/n11B27awONaaDrmHm0pamiWHb01yL4JmTBtaLCrSftF8RhCscQ8jpI0 |
||||||
|
UG1Cchmay0e3zH5o5XRs0H9C3x+SM5ozms0TWDmAYiB8aQEghsGovDk0D2nyTQeK |
||||||
|
Q0xqyCh0m8ZPOnMnYrakHEmF6WvhLdJvI6Od4KIwbKxgN17cPFIfLVsZ7GrzmmbU |
||||||
|
Gdi4wSQCHy5rxzvBxho8Qq/SfBl93uOMUrqOHjOUAPhNuTJG3t/MdhU8Zp24s29M |
||||||
|
abHtYkT9W86hMjIiI8RTAR+WHKVglx9SB0cjDabXN8SZ3gME0+H++LyzlySHT8sI |
||||||
|
ykepojZ7UBRgp9w3AgMBAAGjggGzMIIBrzAfBgNVHSMEGDAWgBQexbEsfYfaAmh8 |
||||||
|
JbwMB4Q/ts/e8TAdBgNVHQ4EFgQUfPf+ZyDWl/4LH0Y5BuJTelkRd/EwDgYDVR0P |
||||||
|
AQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEQYJ |
||||||
|
YIZIAYb4QgEBBAQDAgQQMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMCMCswKQYI |
||||||
|
KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMEEGA1UdHwQ6 |
||||||
|
MDgwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0NvZGVTaWdu |
||||||
|
aW5nQ0EyLmNybDByBggrBgEFBQcBAQRmMGQwPAYIKwYBBQUHMAKGMGh0dHA6Ly9j |
||||||
|
cnQuY29tb2RvY2EuY29tL0NPTU9ET0NvZGVTaWduaW5nQ0EyLmNydDAkBggrBgEF |
||||||
|
BQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCgGA1UdEQQhMB+BHWxpbmRz |
||||||
|
YXlAYml0Y29pbmZvdW5kYXRpb24ub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAqibjo |
||||||
|
D4HG5XSIIMCmYE5RgQBSEAJfI+EZERk1G9F83ZUWr0yNRZCw4O+RaM7xQhvJhEoD |
||||||
|
G2kpk/q2bNOc71/VyZ6SrE1JRVUON41/Flhz4M6cP0BclTicXvh+efVwqZhIz+ws |
||||||
|
UxF2hvC/1Xx6rqI7NYAlOYXk2MSUq3HREo+gWUPKM8em4MZZV/7XCH4QbsfxOl1J |
||||||
|
xS6EOQmV8hfUN4KRXI5WfGUmedBxq7dM0RSJOSQl8fq2f+JjRLfjQwQucy7LDY+y |
||||||
|
pRTsL2TdQV/DuDuI3s0NHRGznQNddoX5jqpXhSQFAAdgrhN1gGkWaaTPzr9IF2TG |
||||||
|
qgr6PEp9tIYC+MbM |
||||||
|
-----END CERTIFICATE----- |
@ -0,0 +1,46 @@ |
|||||||
|
Code-signing private key notes |
||||||
|
== |
||||||
|
|
||||||
|
The private keys for these certificates were generated on Gavin's main work machine, |
||||||
|
following the certificate authoritys' recommendations for generating certificate |
||||||
|
signing requests. |
||||||
|
|
||||||
|
For OSX, the private key was generated by Keychain.app on Gavin's main work machine. |
||||||
|
The key and certificate is in a separate, passphrase-protected keychain file that is |
||||||
|
unlocked to sign the Bitcoin-Qt.app bundle. |
||||||
|
|
||||||
|
For Windows, the private key was generated by Firefox running on Gavin's main work machine. |
||||||
|
The key and certificate were exported into a separate, passphrase-protected PKCS#12 file, and |
||||||
|
then deleted from Firefox's keystore. The exported file is used to sign the Windows setup.exe. |
||||||
|
|
||||||
|
Threat analysis |
||||||
|
-- |
||||||
|
|
||||||
|
Gavin is a single point of failure. He could be coerced to divulge the secret signing keys, |
||||||
|
allowing somebody to distribute a Bitcoin-Qt.app or bitcoin-qt-setup.exe with a valid |
||||||
|
signature but containing a malicious binary. |
||||||
|
|
||||||
|
Or the machine Gavin uses to sign the binaries could be compromised, either remotely or |
||||||
|
by breaking in to his office, allowing the attacker to get the private key files and then |
||||||
|
install a keylogger to get the passphrase that protects them. |
||||||
|
|
||||||
|
Threat Mitigation |
||||||
|
-- |
||||||
|
|
||||||
|
"Air gapping" the machine used to do the signing will not work, because the signing |
||||||
|
process needs to access a timestamp server over the network. And it would not |
||||||
|
prevent the "rubber hose cryptography" threat (coercing Gavin to sign a bad binary |
||||||
|
or divulge the private keys). |
||||||
|
|
||||||
|
Windows binaries are reproducibly 'gitian-built', and the setup.exe file created |
||||||
|
by the NSIS installer system is a 7zip archive, so you could check to make sure |
||||||
|
that the bitcoin-qt.exe file inside the installer had not been tampered with. |
||||||
|
However, an attacker could modify the installer's code, so when the setup.exe |
||||||
|
was run it compromised users' systems. A volunteer to write an auditing tool |
||||||
|
that checks the setup.exe for tampering, and checks the files in it against |
||||||
|
the list of gitian signatures, is needed. |
||||||
|
|
||||||
|
The long-term solution is something like the 'gitian downloader' system, which |
||||||
|
uses signatures from multiple developers to determine whether or not a binary |
||||||
|
should be trusted. However, that just pushes the problem to "how will |
||||||
|
non-technical users securely get the gitian downloader code to start?" |
Loading…
Reference in new issue