GPG Sign the binary releases #1130

New Issue

2018-02-14T18:11:31+01:00

gitbugged commented

2018-02-14 18:11:31 +01:00

(Migrated from github.com)

There is currently no way to verify that the released binary packages are in fact released by the developer. One way to do this is to sign the packages with GNUPG/PGP. There is an automated script to do this for github users, here: https://github.com/NicoHood/gpgit

Doing so helps prevent MITM attacks/malware from spreading. Thank you.

There is currently no way to verify that the released binary packages are in fact released by the developer. One way to do this is to sign the packages with GNUPG/PGP. There is an automated script to do this for github users, here: https://github.com/NicoHood/gpgit Doing so helps prevent MITM attacks/malware from spreading. Thank you.

ghost commented

2018-02-14 18:26:13 +01:00

(Migrated from github.com)

Agreed. Please can you do this @PeterSurda ?

PeterSurda commented

2018-02-14 18:35:04 +01:00

(Migrated from github.com)

Actually I do GPG sign the binary executables. There are at the moment no binary executables for 0.6.3, 0.6.3.1 and 0.6.3.2 so there is nothing to sign.

Since 0.6.2 I also obtained a code signing certificate that is recognised by both Windows and OSX. I haven't figured out how to sign OSX binaries though yet.

Actually I do GPG sign the binary executables. There are at the moment no binary executables for 0.6.3, 0.6.3.1 and 0.6.3.2 so there is nothing to sign. Since 0.6.2 I also obtained a code signing certificate that is recognised by both Windows and OSX. I haven't figured out how to sign OSX binaries though yet.

gitbugged commented

2018-02-23 16:08:04 +01:00

(Migrated from github.com)

@PeterSurda thanks for signing! I was able to get the .asc files for the binaries for v0.6.3.2 from the releases page. I was kind of confused, because the website is currently still serving up the vulnerable version without the sig. I would have helped fix that issue myself but there appears to be no way to register on the wiki to change the links around.

https://www.bitmessage.org/wiki/Main_Page

@PeterSurda thanks for signing! I was able to get the .asc files for the binaries for v0.6.3.2 from the releases page. I was kind of confused, because the website is currently still serving up the vulnerable version without the sig. I would have helped fix that issue myself but there appears to be no way to register on the wiki to change the links around. https://www.bitmessage.org/wiki/Main_Page

PeterSurda commented

2018-02-23 16:38:51 +01:00

(Migrated from github.com)

The bitmessage.org website links to 0.6.1, which isn't vulnerable. Maybe it should be bumped to 0.6.3.2 though. And the signatures are available on the github release page. The wiki registrations were disabled due to spam and noone had the time to fix it properly yet.

PeterSurda commented

2018-03-10 10:38:13 +01:00

(Migrated from github.com)

I'm not sure if there is or was anything to do, maybe there was some confusion. If you don't want me to close this, please elaborate.

gitbugged commented

2018-03-27 19:36:50 +02:00

(Migrated from github.com)

It can be closed, I would just recommend putting the signature on the wiki page as it's the first thing people see. Helps people find it easier.

Adjusted wiki code:

[[File:windows_icon.png|link=https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe]] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe Download for Windows (32bit)][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe.asc (sig)] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1_64.exe (64bit)][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1_64.exe.asc (sig)]

[[File:apple_icon.png|link=https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg]] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg Download for OS X][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg.asc (sig)]

It can be closed, I would just recommend putting the signature on the wiki page as it's the first thing people see. Helps people find it easier. Adjusted wiki code: ``` [[File:windows_icon.png|link=https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe]] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe Download for Windows (32bit)][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe.asc (sig)] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1_64.exe (64bit)][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1_64.exe.asc (sig)] [[File:apple_icon.png|link=https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg]] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg Download for OS X][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg.asc (sig)] ```

👍 2

gitbugged commented

2018-03-30 23:50:53 +02:00

(Migrated from github.com)

Also if it's not too much to ask, the source (.tar.gz) file is unsigned. This would need to be signed as well for Arch Linux to include a sig check in the PKGBUILD.

PeterSurda commented

2021-09-26 11:41:42 +02:00

(Migrated from github.com)

@Jeroentetje3 I'm having some mail issues on one server, peter@bitmessage.at is probably the best way to reach me.

This repo is archived. You cannot comment on issues.