Handbrake: PGP key?

If you get the files through subversion theres no need for PGP. A Sha256 is
enough for integrity of files, unless someone has hacked handbrake
developer account and injected code the builded handbrake and eventually
updated the checksum. In that case he would se a extra commit he have never
done. A alternative is that developer PC was hacked, but in that case even
using a private Key is not enough.

Il 07 mag 2017 23:52, "Bryan Black" notifications@github.com ha scritto:

Where is the PGP signature for HandBrake?

I see some one requested file signatures in issue #91
https://github.com/HandBrake/HandBrake/issues/91. I guess @assarbad
https://github.com/assarbad should be saying I told you so.

Attackers check to see if the project maintainers care enough or even know
how to use PGP. HandBrake now has a target on it. Good Luck!

http://mostvulnerable.com/

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/HandBrake/HandBrake/issues/728, or mute the thread
https://github.com/notifications/unsubscribe-auth/ADUeE-_XzSLS63868nUgA7eMV-RMT3gnks5r3j0HgaJpZM4NTUHM
.

You are mistaken.

Awaiting pub key id from someone actually associated with the project.

@Darelbi what Subversion repo are you referring to? I mean I get that if the files were to be stored inside the Git repo that might add a bit of security, because manipulations should become evident more quickly, but how - without some kind of signing - do you think there's any level of assurance about the origin of the software? That's what signing is all about, to certify that someone in possession of the private key (which you may or may not trust), has created and signed a particular software package.

@reelsense I can kind of understand the reason they didn't want to use ordinary code-signing, although I know of at least one CA which offers them at low enough rates for Open Source developers. I think we'd have trouble _not_ to find enough people to shell out €28 for the project owner to purchase a proper certificate. I think at some point they were even free of charge, but checking again now reveals that they're charging a modest fee.

However, PGP-signing costs nothing extra and from what little I understand about macOS you can store your private keys securely without much trouble. You can always store them as files in some encrypted container also. So am still unsure about the original response I got in #91. But I don't want to be rude either, because I know what it means to invest time and effort into FLOSS and then getting the odd praise, but mostly requests for what could be improved (or is allegedly wrong). This is why I refrained from another response there.

The oddest thing, though, is that according to the authors there is some signature-checking inside the built-in updater, so I am wondering why the signatures aren't being made available publicly e.g. on the Checksums page along with the public keys matching the signatures.

@assarbad Just ignore and/or block Darelbi, it's probably a critical theory bot. Spreading disorienting bullshit. This isn't the place to explain PGP to someone new either. They aren't even a contributor.

Basically you want to check PGP in case developer github account Was hacked
(but not his computer) so that you Can do stuff Like preventing automatic
updates in a CI environment? I think (intentionally) corrupted packages are
not this common in github. And I also think the preferred Attack Vector is
exploiting vulnerabilities in the app, which Will work even in case of a
signed packages. My tel 0.01$

Il 08 mag 2017 13:49, "Oliver Schneider" notifications@github.com ha
scritto:

@Darelbi https://github.com/Darelbi what Subversion repo are you
referring to? I mean I get that if the files were to be stored inside the
Git repo that might add a bit of security, because manipulations should
become evident more quickly, but how - without some kind of signing -
do you think there's any level of assurance about the origin of the
software? That's what signing is all about, to certify that someone in
possession of the private key (which you may or may not trust), has created
and signed a particular software package.

@reelsense https://github.com/reelsense I can kind of understand the
reason they didn't want to use ordinary code-signing, although I know of at
least one CA which offers them at low enough rates for Open Source
developers
https://en.sklep.certum.pl/data-safety/code-signing-certificates/open-source-code-signing-925.html.
I think we'd have trouble not to find enough people to shell out €28
for the project owner to purchase a proper certificate. I think at some
point they were even free of charge, but checking again now reveals that
they're charging a modest fee.

However, PGP-signing costs nothing extra and from what little I understand
about macOS you can store your private keys securely without much trouble.
You can always store them as files in some encrypted container also. So am
still unsure about the original response I got in #91
https://github.com/HandBrake/HandBrake/issues/91. But I don't want to
be rude either, because I know what it means to invest time and effort into
FLOSS and then getting the odd praise, but mostly requests for what could
be improved (or is allegedly wrong). This is why I refrained from another
response there.

The oddest thing, though, is that according to the authors there is some
signature-checking inside the built-in updater, so I am wondering why the
signatures aren't being made available publicly e.g. on the Checksums page
https://handbrake.fr/checksums.php along with the public keys matching
the signatures.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/HandBrake/HandBrake/issues/728#issuecomment-299846014,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ADUeEwKLLNdMVlrELdSN3jBK0nvDex2Eks5r3wE7gaJpZM4NTUHM
.

pgp_test_pack.zip

(apparently github doesn't like sig or asc files :( )

Attached PGP Public key and associated file signatures for 1.0.7, give that a test. if all looks OK It's on the list for a site rollout soon.

@assarbad -> Updates are signed with a DSA sig starting 1.0.0 for both Mac and Windows.

p.s #91 I for some reason didn't pick up on the fact you were talking about PGP. I was referring to Apple DeveloperID / Authenticode both of which have a barrier to entry in terms of verification.

p.p.s It's fine to challenge me if I come out with something garbage. I'm only human you know ;)

@reelsense PGP is only part of the solution. People still have to verify and many are simply too lazy / busy to care even those that know better. Even if folks had verified the SHA256 hash in this case, it would have saved them a lot of bother.

I'm currently working on a pre/post download page as well that will better advertise the hashes and signatures with instructions for each. I doubt we'll make a big dent but if a few more people benefit, it's better than nothing.

We'll be posting the public key on the site, On our Github wiki and we'll look into a suitable public key server as well.

@sr55 thanks!

I'll test the other files as well, but the Windows installer verifies properly with those detached signatures.

C:\Users\Oliver\Desktop\pgp_test_pack>gpg2 --verify HandBrake-1.0.7-x86_64-Win_GUI.exe.sig
gpg: assuming signed data in 'HandBrake-1.0.7-x86_64-Win_GUI.exe'
gpg: Signature made 05/08/17 17:21:57 Coordinated Universal Time
gpg:                using RSA key 0x021DB8B44E4A8645
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: key 0x0EB191DEEBCC2348: no public key for trusted key - skipped
gpg: key 0x0EB191DEEBCC2348 marked as ultimately trusted
gpg: Good signature from "HandBrake Team <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1629 C061 B3DD E7EB 4AE3  4B81 021D B8B4 4E4A 8645

Btw, note that GPG claims that it's been signed using an RSA key, not DSA.

As a side-note, please make sure to not use the short user ID (that 32-bit value) or even the long one. If you want to convey the details of your key. Instead make sure that you give the fingerprint. The problem with those IDs is that they are easy to fake. In fact this has been done for my short ID, too (the one created in 2014 was essentially a proof).

And regarding #91 yeah, I was listing possible options. The cheapest is or course to use PGP with the same level of confidence for users. Only downside is that users sometimes have a hard time verifying these without some basic knowledge about PGP. And my remark was mostly about the fact that oftentimes the bureaucracy (like this) keeps a contributor/maintainer from improving the main subject of interest. So I thought a snarky remark would be misplaced.

As for the pre-download site, you could point to fciv by Microsoft for the Windows users. This sidesteps the problem that you'd otherwise have to download some piece of software which itself is not code-signed in order to verify the download. Alternatively for Windows you could point to gpg4win. I know for Mac there's the GPGtools package offering a similar functionality.

NB: many keyservers, if not most, exchange the public key information. So it's not even important which exact server you pick. I for one use eu.pool.sks-keyservers.net, btw.

verification.txt

All files verify fine with these detached signatures. Thanks again for making them available!

Sorry, Sparkle Updater library uses DSA, so we use a DSA key for that. There is an open case about that here: https://github.com/sparkle-project/Sparkle/issues/1037

GPG seems to use RSA by default and the consensus is that it's better to use that.

Sorry for the confusion.

I'm going to back-date the signatures for all downloads when I get 10 minutes of free time. Please bare with me on this one. I've got a lot to do (including my real day job too, :()

I was planning screenshots / step-by-step guide with the new download pages to make it as easy as possible for users.

Now published for all releases in the last 6.5 Years going back to 0.9.5

Excellent documentation and fast response! You're leading by example.
Thank you!