Skip to content
This repository was archived by the owner on Sep 5, 2020. It is now read-only.
This repository was archived by the owner on Sep 5, 2020. It is now read-only.

GPG releases almost there, but missing key info + sig #1184

Open
Open
GPG releases almost there, but missing key info + sig#1184
Labels
Module: Build processStatus: TriageType: Enhancement
@taoeffect

Description

@taoeffect
taoeffect
opened on Sep 23, 2016

Per @danielmcclure's comment, for GPG releases to be secure it is insufficient to merely have GitHub verify them, ultimately it is users who must verify them, and without that a MITM attack is still possible on users.

So what's needed with the releases is:

  1. Link to the public key, which seems to be 0x07A05B5E713CB70E but is nowhere to be found on key servers.
  2. A signed file of the hashes.

For (2), e.g. instead of this:

4cc5774cc6900fbcaa155705291e2f85f5568b19b8163a603e953bececac42d3  Mist Setup 0.8.3-ia32.exe.zip
de511a2db31f1b4b9a0924522934790f9d138b0dd22ff6168e01c426ff6cdaf2  Mist Setup 0.8.3.exe.zip
c1d9bf21bf01b6a000126a537a4d7b35131e1ba48d301edf33240cd82473bca0  Mist-0.8.3-ia32.deb
88faf16f85135f7a6fb1da57019db1cc5bf147411ea0fcd523472b88e5fcda4f  Mist-0.8.3.deb
bf1784d7c52cb0980b5e2976c90b251fe49934cb12df60a30df6e22bb34b36b1  Mist-0.8.3.dmg

You'd have something like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

4cc5774cc6900fbcaa155705291e2f85f5568b19b8163a603e953bececac42d3  Mist Setup 0.8.3-ia32.exe.zip
de511a2db31f1b4b9a0924522934790f9d138b0dd22ff6168e01c426ff6cdaf2  Mist Setup 0.8.3.exe.zip
c1d9bf21bf01b6a000126a537a4d7b35131e1ba48d301edf33240cd82473bca0  Mist-0.8.3-ia32.deb
88faf16f85135f7a6fb1da57019db1cc5bf147411ea0fcd523472b88e5fcda4f  Mist-0.8.3.deb
bf1784d7c52cb0980b5e2976c90b251fe49934cb12df60a30df6e22bb34b36b1  Mist-0.8.3.dmg
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJX5IApAAoJEOxnICvpCVJHP4QQAJGNS5QhI7l6COK7CwXYkjbT
p3gXKUC5vg7NIjUNDLm2GRDrq/sbRpy95rGGkKClSaQrsRe9FRBR4pSiSvmLFsiJ
xSp5om6LckvHa0Mm+HAyrpdip+d6oSJohAscuUALrGnQWZpa2ymUkdr1jJ/PiNnM
hblis+BItGiPZP+rN62GEC/fuoGBosLK7XlBNPg9DQJCU/xqTLDoeo5FEDPKUQbx
7HXVp6pTZEO2wQPxaUSF75lV3wCSAEgn6OhVyn1lWsX0W6LlQ7ej04GuTkJaOCzu
HpxfpAyVlLOMAjHR4OZhSGEgbHcRbovBfhoAEaui5ln4hWz33tIKoYaBaX/znr4+
RXFwIvtUgBKQW2/4lPNw5j3q70WM5drdNgIHvfLDkIvFBA+xrmtCu0bYIoqqPFam
WN8hmgOYWjgoH9RqCVRBK+42NEfHH+B2QfrAJM4y4si17/y2MvJCRuztRsrIyZWH
ntgs16x2fgdzPWHOJ0m34qfpyhytIfT/urB6LEwXZAuQUNglVEF4cUn4dbMpUTh5
F/sB1hjbUHEVhA4q6IolIV6dCrlT3i6ifyS/SR+P1PbhQtHcmTHJXEz8O63l6Mx2
cN3KxulQgiLDMP86AKhLXJNOqIFh0HxT/rEUTrImiKy/ozotlO/5oeJX5Rfc0/RD
vLvA3s4Tk5UsT6LOfa1P
=SCO2
-----END PGP SIGNATURE-----

Metadata

Metadata

Assignees

No one assigned

    Labels

    Module: Build processStatus: TriageType: Enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions