1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <mh.in.england@gmail.com>) id 1WRPKB-0001gW-2P
for bitcoin-development@lists.sourceforge.net;
Sat, 22 Mar 2014 17:03:11 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.214.176 as permitted sender)
client-ip=209.85.214.176; envelope-from=mh.in.england@gmail.com;
helo=mail-ob0-f176.google.com;
Received: from mail-ob0-f176.google.com ([209.85.214.176])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1WRPK9-00066Z-CA
for bitcoin-development@lists.sourceforge.net;
Sat, 22 Mar 2014 17:03:11 +0000
Received: by mail-ob0-f176.google.com with SMTP id wp18so3901367obc.21
for <bitcoin-development@lists.sourceforge.net>;
Sat, 22 Mar 2014 10:03:04 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.60.141.9 with SMTP id rk9mr48779002oeb.12.1395507783965;
Sat, 22 Mar 2014 10:03:03 -0700 (PDT)
Sender: mh.in.england@gmail.com
Received: by 10.76.71.231 with HTTP; Sat, 22 Mar 2014 10:03:03 -0700 (PDT)
Date: Sat, 22 Mar 2014 18:03:03 +0100
X-Google-Sender-Auth: T7SKeLtUzRxHta7jYdz1gajwV3A
Message-ID: <CANEZrP0NeDetSLXjtWnCaYYjYcdhsa=ne=a6NJOnvEp8yr7YaA@mail.gmail.com>
From: Mike Hearn <mike@plan99.net>
To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Content-Type: multipart/alternative; boundary=047d7b3a9cacbea6a604f534f909
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(mh.in.england[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WRPK9-00066Z-CA
Subject: [Bitcoin-development] Fake PGP key for Gavin
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2014 17:03:11 -0000
--047d7b3a9cacbea6a604f534f909
Content-Type: text/plain; charset=UTF-8
In case you didn't see this yet,
http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
If you're using PGP to verify Bitcoin downloads, it's very important that
you check you are using the right key. Someone seems to be creating fake
PGP keys that are used to sign popular pieces of crypto software, probably
to make a MITM attack (e.g. from an intelligence agency) seem more
legitimate.
I think the Mac DMG's of Core are signed for Gatekeeper, but do we codesign
the Windows binaries? If not it'd be a good idea, if only because AV
scanners learn key reputations to reduce false positives. Of course this is
not a panacea, and Linux unfortunately does not support X.509 code signing,
but having extra signing can't really hurt.
--047d7b3a9cacbea6a604f534f909
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">In case you didn't see this yet,<div><br></div><div><a=
href=3D"http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-impost=
er.html">http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-impost=
er.html</a><br>
</div><div><br></div><div>If you're using PGP to verify Bitcoin downloa=
ds, it's very important that you check you are using the right key. Som=
eone seems to be creating fake PGP keys that are used to sign popular piece=
s of crypto software, probably to make a MITM attack (e.g. from an intellig=
ence agency) seem more legitimate.</div>
<div><br></div><div>I think the Mac DMG's of Core are signed for Gateke=
eper, but do we codesign the Windows binaries? If not it'd be a good id=
ea, if only because AV scanners learn key reputations to reduce false posit=
ives. Of course this is not a panacea, and Linux unfortunately does not sup=
port X.509 code signing, but having extra signing can't really hurt.</d=
iv>
</div>
--047d7b3a9cacbea6a604f534f909--
|
