Desktop: Provide checksum & GPG .sig for (Windows) binary

Created on 31 Mar 2018  路  13Comments  路  Source: nextcloud/desktop

Please provide SHA2-512 checksum and GPG .sig for the .exe binary so we can check if the binarys arent corrupted nor modified

enhancement feature-request
Source
picture beerisgood

All 13 comments

I agree we should do this. How can we do it @rullzer ?

camilasan picture camilasan on 16 Apr 2018
👍1

We already sign the windows installers. (the exe itself is signed). So when opening the installer windows already checks this.

rullzer picture rullzer on 29 Jun 2018
👎1

Hi could you consider doing the same (checksum & GPG .sig) for sources and binaries on platforms other than Windows?

yan12125 picture yan12125 on 4 Dec 2018

Hello folks,

some news here?
It would be nice to have the checkums at minimum. nc-client ist relevant for infrastructure and a risk.
This sould also provides for all releases...

polymeer picture polymeer on 10 Oct 2019

As @rullzer already said, the Windows installer is signed with our Windows code signing key and so are the binaries inside the program folder since 2.5.3, so that Windows can verify the software.

But I agree, we should provide checksums & GPG .sig's for the other platforms and can do this for Windows too, doesn't hurt ;-)

I'll implement this once I find the time. 馃樇

misch7 picture misch7 on 10 Oct 2019
👍1

Thanks! By the way https://github.com/nextcloud/desktop/issues/1490 seems the relevant ticket for macOS.

yan12125 picture yan12125 on 10 Oct 2019

@yan12125 Ah, yes thanks, I've seen it :-)

misch7 picture misch7 on 10 Oct 2019
👍1

I may have not described pecisely. What I mean is that checksums are visible for the downloadable file as an asset. Not that the nc-client check the sum.

bytheway thank you for activity

polymeer picture polymeer on 10 Oct 2019

@polymeer You're welcome :)

Thanks for clarifying 馃憤 This was already clear (to me at least), checkums like we know them for ISO downloads from distros and so on ;-)

misch7 picture misch7 on 10 Oct 2019

Great to see 3.0 is coming. Could this and related issues (#1490, #1510) be revisited for the 3.0 release?

/cc @er-vin - I noticed most recent tags are created by you. Thanks a lot for the efforts! I assume you may be interested in this and related issues.

yan12125 picture yan12125 on 6 Aug 2020

Definitely, unfortunately I don't think it will happen this time around, hopefully for the next cycle.

er-vin picture er-vin on 11 Aug 2020
1

I notice that in version 3.0.2, Windows .exe, Linux .appimage and macOS .pkg are all signed. Thanks a lot for the efforts! I think #1490 (for .pkg) and #1805 (for .appimage) can be closed? For tracking the status of signed source tarballs, one of this ticket, #1510 or #1953 can be used.

yan12125 picture yan12125 on 25 Sep 2020

Good point, I'll close the relevant ones.

er-vin picture er-vin on 29 Sep 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

TP75 picture TP75  路  3Comments
linucksrox picture linucksrox  路  3Comments
Engineer-of-Stuff picture Engineer-of-Stuff  路  3Comments
despens picture despens  路  3Comments
kaysond picture kaysond  路  3Comments