Brave-browser: Publish code signing keys and signatures for Linux

Created on 25 Aug 2018  路  7Comments  路  Source: brave/brave-browser

Carried over from https://github.com/brave/browser-laptop/issues/197

We should publish our code signing keys and signatures so that anyone can independently verify them. See https://www.torproject.org/docs/verifying-signatures.html.en for an example of a project that does this.

I also think it's a good idea to sign git tags.

Our current status (browser-laptop):

  • we publish the Linux signing keys(used for .deb/.rpm packages)
  • many of us sign commits our already (which is reflected on GitHub)

On browser-laptop, end users can check the signature on the installer / binaries:

  • macOS can verify by running spctl --assess --verbose /Applications/Brave.app/. If app is signed, it should return something like this:
    /Applications/Brave.app/: accepted source=Developer ID
  • Windows Authenticode signature can be checked by right clicking the installer and choosing properties. Once open, go to the Digital Signatures tab and double click on the signature. Make sure it says The digital signature is OK
QNo documentation needs-discussion security
Source
picture bsclifton
👍4

Most helpful comment

@cg505 that's a good request - I created an issue to track that here (in case you wanted to subscribe):
https://github.com/brave/brave-browser/issues/3243

picture bsclifton on 6 Feb 2019
2 👍1

All 7 comments

marking this for releasable builds since we already publish the linux signing keys on the website

as mentioned to @mbacchi and @RyanJarv we will need to rotate the keys for brave-core since they are inadequately secure. we will then need to publish the new keys before release. https://brave.com/signing-keys

diracdeltas picture diracdeltas on 5 Sep 2018

@mbacchi @RyanJarv I'd love to help with this- hit me up anytime 馃槃

bsclifton picture bsclifton on 21 Sep 2018

I've supplied Sampson with the public signing key for our Linux builds. MacOS and Windows builds ongoing.

bkero picture bkero on 16 Oct 2018

This is waiting until closer to release date, but as far as I understand everything is ready to go.

bbondy picture bbondy on 16 Oct 2018

@jonathansampson has this on staging server for Linux so I'm going to close this issue.
This issue is meant to be blocking only for Linux.

I posted this issue for Windows and macOS though:
https://github.com/brave/brave-browser/issues/1703

If we get it today too that's great and we can close it too, but tracking it in 1.x in the meantime.

bbondy picture bbondy on 18 Oct 2018

Is there any plan to sign git tags?

cg505 picture cg505 on 4 Feb 2019

@cg505 that's a good request - I created an issue to track that here (in case you wanted to subscribe):
https://github.com/brave/brave-browser/issues/3243

bsclifton picture bsclifton on 6 Feb 2019
2 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bbondy picture bbondy  路  3Comments
fmarier picture fmarier  路  3Comments
hollons picture hollons  路  3Comments
jonathansampson picture jonathansampson  路  3Comments
kjozwiak picture kjozwiak  路  3Comments