Keepassxc-browser: Sign commits and releases with PGP key?

Created on 10 Mar 2020  路  7Comments  路  Source: keepassxreboot/keepassxc-browser

Expected Behavior

  • Releases should have an ascii-armored gpg .sig file for each zip file.
  • Ideally, each commit should also be signed for auditability.

Why: so we know the release was actually made by someone other than a rogue github employee, hacker with account credentials or attacker who can break TLS.

Given the sensitivity of password managers -- security is critical. Currently @varjolintu doesn't seem to gpg sign commits or releases resulting in a much larger attack surface. We must now rely on github entirely. We must also trust that the account on github is also secure and that nobody has inserted their own commits under this account.

Current Behavior

Users must simply trust GH, certificate issuers, developer's browser, etc.

Possible Solution

Sign releases and commits.

security
Source
picture jonathancross

Most helpful comment

@droidmonkey Just did! I can also create .sig files for future releases with my key, if that is necessary.

picture varjolintu on 10 Mar 2020
🎉2

All 7 comments

There is really no point in signing browser extension releases, since they are distributed through the Chrome and Mozilla stores. We could sign tags perhaps, but that's all.

phoerious picture phoerious on 10 Mar 2020

Giving users the ability to install / verify directly (rather than relying on the stores alone) would still be a benefit. (Can compare the installed chrome extension with the expanded + verified zip file contents)

As a start, please confirm these are correct:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

These are the files I downloaded from GitHub:
ba27af260290b2333e23251f1fcafd13c1ae4793ec92c69acd494359b89f72f6  keepassxc-browser_1.5.4_chromium.zip
908a20868042feeb5e5cd565c31c1dc5cfda4e046d67cf2f0b1d86837ed0d63b  keepassxc-browser_1.5.4_firefox.zip

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEMsk361Pa9SImG35c2FeN+Op8zxsFAl5nrSEACgkQ2FeN+Op8
zxu+WwgAqaWA0QdjvxWj/QxcuhGQVItfGxh5vKQ3jpswPlcazHSJEDGJwxnaxr33
eXcIRJJChCYud31cv9haRcSvI1Radq7gS1fp7PaIBUEk2agBbyP83yyD222CWfsE
dA3utKd/F60nXtvpo916hmRLi04kMX57DpIw+WC+pKrfW29rcamxhfCJuzdoUwfF
Iy2o678n12n/U7gGF7P1sTm+w91DQEYt6pxMBYbuidoHnxyZABtBnQUY5SCx+q/W
C9qMFgHKiwqCyl1qScig9ycygpKV73imkG9l3VEaz5ivM2F2I6yNUZRjUMU/IW5e
ddDRtosZ09AU74GHFjqhbea7I/BAGg==
=74Rs
-----END PGP SIGNATURE-----
jonathancross picture jonathancross on 10 Mar 2020

@varjolintu setup commit signing!

droidmonkey picture droidmonkey on 10 Mar 2020
👍1

@droidmonkey Just did! I can also create .sig files for future releases with my key, if that is necessary.

varjolintu picture varjolintu on 10 Mar 2020
🎉2

I don't see a reason to add sig files. Just sign the tag.

phoerious picture phoerious on 10 Mar 2020
👍1

I'm not sure which key varjolintu will be using, but it would be good to have it verified / cross-signed by other members of the team.

jonathancross picture jonathancross on 11 Mar 2020

For the purposes of GitHub his particular key is irrelevant. The only relevance is that the corresponding public key is registered with his GitHub account. That verifies the commit made on Git is actually made by the person who has the credentials for the varjolintu account.

droidmonkey picture droidmonkey on 11 Mar 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

compilenix picture compilenix  路  5Comments
bwbroersma picture bwbroersma  路  3Comments
gwerbin picture gwerbin  路  4Comments
whit-colm picture whit-colm  路  4Comments
Generator picture Generator  路  5Comments