Using blockchain to publish downloadable software verification codes


What is the point of comparing sha256 of downloaded file with published on the same website code?

Why can't developers of currencies publish file version and sha256 hash on blockchain as alias or message ?

Why don't other software vendors use blockchain as reliable way to distribute verification codes ?

Software vendors could send sha256 code published on their website for a small fee as a reply transaction to each interested account.

This is one real way to raise wide practical interest in cryptocurrencies and blockchain isn't it ?

How about scanning all downloadable online software and putting all types of hashcodes on blockchain, making it useful not just for coin transfers ?

How about setting up auto-reply account as currency feature where software vendor could put hash code and get some coins for it ?


Posted 2014-04-11T05:12:44.533

Reputation: 247

2What is to stop a malicious attacker from distributing a fake hash in exactly the same way? – Nate Eldredge – 2014-04-11T13:18:34.127

Web site registration with NXT alias and publishing hash using account that owns that alias. – CoinsKillTheFed – 2014-04-12T01:43:32.047

Also publishing signed by that account message on website. – CoinsKillTheFed – 2014-04-12T01:52:12.043

1If you have all that, then what does the block chain add? – Nate Eldredge – 2014-04-12T02:28:55.407

Re: "what does the block chain add?" - it gives free permanent equivalent of SSL certificate. It allows to publish anything permanently without supervision of ICANN and other authorities. Tough part is to establish trust to NXT account. Trust can be built upon trust of existing popular website like I suggested above (by publishing signed message). – CoinsKillTheFed – 2014-04-14T05:28:17.730

Nate Elderege code certificates are outrageously expensive for what they basically are. There's collusion between Microsoft and certificate providers. to keep things this way.

Furthermore, the hoops we need to jump through to install and use those certificates get higher every year, adding lost productive time, money and energy. – Christophe Keller – 2017-04-14T09:52:44.470



Okay, I will bite.

No, I don't think it would be useful to publish software hashes in the blockchain.

As you recognize, a hash of a software package is useless unless it is somehow authenticated. Currently, the most popular way to do this is to make the hash available on a "well-known" website which uses HTTPS, and provides an X.509 certificate signed by a recognized authority. This provides some level of confidence that the hash is claimed as authentic by the owners of the website, who are hopefully the same people as the authors of the software.

If you want to distribute the hash from any site that can't itself be authenticated, the hash will need to be self-authenticating; it should carry a signature that the user can have some confidence was made by the right people. One way to do that would be with X.509 certificates again, but packaged explicitly with the hash rather than being provided implicitly by an HTTPS server.

Your proposal to use a NXT alias would have a similar effect, though I think as things stand it would provide rather less confidence. As problematic as the current certificate authority system is, I think most people today would place more trust in a certificate for "Initech Corporation" signed by Verisign than in the owner of "nxt:initech".

Either way, the point is that if you're not going to distribute the hash from some "well-known" location, it has to have a self-contained signature, and at that point you can distribute it any way you want. You certainly could put it in the blockchain, but what's the point? It's of no use without the software package that it's supposed to authenticate. (And you can't put the software itself in the blockchain, it's too big.) Why not cut out the middleman and just distribute the signed hash together with the software? In fact, why not just distribute a single signed file?

In fact, in many ways, distributing the hash in the blockchain is less secure than just putting it on a website. Even if I just stick it on the plain old HTTP server for, an attacker still has to either compromise that server or intercept a user's traffic somehow, which is nontrivial to achieve. If I put it in the blockchain, anyone with BTC 0.0001 to spare can post another hash that looks similar (perhaps signed by "inittech" instead), making it fairly likely that some confused user will pick the wrong one by mistake.

Nate Eldredge

Posted 2014-04-11T05:12:44.533

Reputation: 22 182

If TOTALCMD.EXE on my hard drive has Verisign signature issuer and has signer name "Ghisler GmbH" how do I know if it should be signed by "Ghisler Software GmbH" instead ? – CoinsKillTheFed – 2014-04-15T00:51:51.593