bitaddress.org appears to have a versioning system and a PGP signature to confirm the source code hasn't been hacked.
If I save the source code for the page (so I can run it on an offline computer), what steps do I need to take to verify the version I've downloaded matches the signature?
This assumes that the signed version of bitaddress.org is not malicious as answered in this question.
who has actually verified the code is not malicious in the first place?
There are many eyes on it from cryptographers, javascript programmers and more. But there has been no commercial party or individual who claims to have vetted the page to assure that there is nothing malicious.
As far as verifying that the website is serving the same release as the version control repository shows, that can be verified as follow:
Verify that the BitAddress.org website has been updated and returns the same HTML from the commit with the description vx.x in github:
Here's an example of verifying in which the version was v2.4:
First check the sha1sum hash of the html returned by a request to http://bitaddress.org:
$ wget --quiet -O - http://bitaddress.org|sha1sum
1d5951f6a04dd5a287ac925da4e626870ee58d60 -
$ GET -eSd bitaddress.org|grep -i "200 OK"
GET https://www.bitaddress.org/bitaddress.org-v2.4-SHA1-1d5951f6a04dd5a287ac925da4e626870ee58d60.html --> 200 OK
Then from my bitaddress.org repo:
$ git checkout master
$ git pull
$ git log --pretty=oneline|grep "v2.4"
eeed4db91edd9eda5eb4277a61aa16ad80bdcdcb v2.4 French translations
$ git checkout eeed4db91edd9eda5eb4277a61aa16ad80bdcdcb
$ git rev-list --max-count=1 HEAD
eeed4db91edd9eda5eb4277a61aa16ad80bdcdcb
$ sha1sum bitaddress.org.html
1d5951f6a04dd5a287ac925da4e626870ee58d60 bitaddress.org.html
As long as that sh1sum matches the filename and also matches from github, then you can you know have the exact same version as was distributed from github.
