pull down to refresh
53 sats \ 2 replies \ @0xIlmari 26 Mar \ on: Learn How to Verify with Me ( with Baby Steps ) bitcoin
There's a weakness in this process that many overlook, which can lead to you being exploited, and that is getting all the initial breadcrumbs from one source, be it GitHub or some software's own download website.
If an attacker were to take control of that website, they would replace the actual download, as well as the signature file, as well as upload their own (attacker's) key to keybase, potentially under the name of the original developer (especially if their email was compromised, which is likely the case).
To defend against that, you must verify via a different medium (social media, different website, signed Bitcoin message), ideally dated well before a potential breach, that the real signer's key fingerprint is indeed what the .asc file indicates.
yes, I mentioned this at the end
Check different sources of the fingerprint to verify the signer's public key. Good places to look are Github, Keybase, KeyServer, and different socials. Generally, the more sources showing the same key, the more trusted.
reply
Sorry, since this is not new knowledge to me, I only skimmed the article and missed that bit.
Anyway, I think it's important to emphasize this as so many people just type the verification commands into their computer without thinking what they do and are happy when gpg gives them a thumbs up without understanding ways in which the supply chain may have been compromised.
reply