Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WRPKB-0001gW-2P for bitcoin-development@lists.sourceforge.net; Sat, 22 Mar 2014 17:03:11 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.214.176 as permitted sender) client-ip=209.85.214.176; envelope-from=mh.in.england@gmail.com; helo=mail-ob0-f176.google.com; Received: from mail-ob0-f176.google.com ([209.85.214.176]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WRPK9-00066Z-CA for bitcoin-development@lists.sourceforge.net; Sat, 22 Mar 2014 17:03:11 +0000 Received: by mail-ob0-f176.google.com with SMTP id wp18so3901367obc.21 for ; Sat, 22 Mar 2014 10:03:04 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.60.141.9 with SMTP id rk9mr48779002oeb.12.1395507783965; Sat, 22 Mar 2014 10:03:03 -0700 (PDT) Sender: mh.in.england@gmail.com Received: by 10.76.71.231 with HTTP; Sat, 22 Mar 2014 10:03:03 -0700 (PDT) Date: Sat, 22 Mar 2014 18:03:03 +0100 X-Google-Sender-Auth: T7SKeLtUzRxHta7jYdz1gajwV3A Message-ID: From: Mike Hearn To: Bitcoin Dev Content-Type: multipart/alternative; boundary=047d7b3a9cacbea6a604f534f909 X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (mh.in.england[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WRPK9-00066Z-CA Subject: [Bitcoin-development] Fake PGP key for Gavin X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 17:03:11 -0000 --047d7b3a9cacbea6a604f534f909 Content-Type: text/plain; charset=UTF-8 In case you didn't see this yet, http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html If you're using PGP to verify Bitcoin downloads, it's very important that you check you are using the right key. Someone seems to be creating fake PGP keys that are used to sign popular pieces of crypto software, probably to make a MITM attack (e.g. from an intelligence agency) seem more legitimate. I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign the Windows binaries? If not it'd be a good idea, if only because AV scanners learn key reputations to reduce false positives. Of course this is not a panacea, and Linux unfortunately does not support X.509 code signing, but having extra signing can't really hurt. --047d7b3a9cacbea6a604f534f909 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

In case you didn't see this yet,

http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-impost= er.html

If you're using PGP to verify Bitcoin downloa= ds, it's very important that you check you are using the right key. Som= eone seems to be creating fake PGP keys that are used to sign popular piece= s of crypto software, probably to make a MITM attack (e.g. from an intellig= ence agency) seem more legitimate.

I think the Mac DMG's of Core are signed for Gateke= eper, but do we codesign the Windows binaries? If not it'd be a good id= ea, if only because AV scanners learn key reputations to reduce false posit= ives. Of course this is not a panacea, and Linux unfortunately does not sup= port X.509 code signing, but having extra signing can't really hurt.

--047d7b3a9cacbea6a604f534f909--