I didn't find PGP signatures of the releases. I suppose there aren't any. Could you please sign the releases? (Or in case signatures are published, make them more discoverable.)
@Kixunil
Okay, I'll look into this. However, I am now publishing the SHA512 hashes of the builds under my ssb identity on patchwork.
My feed ID: @FbGoHeEcePDG3Evemrc+hm+S77cXKf8BRQgkYinJggg=.ed25519
Latest release: %MpOe7Tk/Bwy4El9brJgottDHPgMl/X9JjFL0JowRSB8=.sha256
If you have gpg installed, all you have to do to sign the releases (assuming the naming scheme here is run the following command
for file in Patchwork-3.11.4-*; do gpg --detach-sign $file; done
This produces the files contained in this zip file.
Yes, please sign the executables. Windows is giving a stern warning. What happens when Microsoft or the government decides that whomever wants to install Scuttlebutt must have something to hide, and therefore intercepts the installers?

What happens when Microsoft or the government decides that whomever wants to install Scuttlebutt must have something to hide, and therefore intercepts the installers?
Wouldn't a signature make this even easier for them to identify and block? :wink:
For what it's worth, I think both Microsoft and Apple require you to pay hundreds of dollars per year for a certificate, whereas something like PGP (or Scuttlebutt) are simple and free. It would be nice to get PGP certificates, but I don't know if that's something that Matt is interested in supporting right now (I know he's been working a ton on Patchwork lately).
I was referring to PGP signatures. See how TOR does it.
https://www.torproject.org/download/download-easy.html.en
https://www.torproject.org/dist/torbrowser/8.0.4/torbrowser-install-win64-8.0.4_en-US.exe.asc
https://www.torproject.org/docs/verifying-signatures.html.en
:mans_shoe: :open_mouth:
Thanks for clarifying, my bad. I totally misunderstood what you meant!
The method I mentioned above will generate the gpg .asc files needed for verification, in the way described in the Tor documentation.
If you want to generate a signed pgp message recording the shasums, you can also do something like:
shasum -a 256 Patchwork-3.11.4-* | gpg --clearsign
Obviously this all depends on having gpg installed:
brew install gpg
or
aptitude install gpg
etc.
Also, you need to generate a key:
gpg gen-key
Ideally, you should keep your private key offline, or on a Yubikey type device. However, even without this level of security, pgp signing is still valuable.
Also, try to build your web of trust by meeting others in the community, and verifying and signing each other's keys.
I assume we need to find answers to the following questions before this issue can proceed:
Also, it would be ideal if all the node dependencies were pgp signed as described here.
@Kixunil
Okay, I'll look into this.
Hi @mmckegg
I tried to compile Patchwok but faced several problems, so I considered to download the package. Then I saw you released new versions and still can't find a PGP signature.
It would be nice to have the software signed, ideally by a package maintainer with a wide GPG-Web-of-Trust within the Free Software community.
However, I am now publishing the SHA512 hashes of the builds under my ssb identity on patchwork.
Verifying hashes on patchwork would require to first install it without having verified it. I mean it does not seem like a good solution.
What is the reason for not signing software?
Update: we're all hooked up with electron-builder and I'd love to see a pull request for code signing if anyone has the bandwidth for it. :tada:
As a related side note, i wonder how this can work with automated releases. Who and when will sign the builds?
My understanding is that Travis CI can do this automatically. We'll create a signing key and upload it to Travis as a secret environment variable, which is used by electron-builder to sign the releases.
On Sat, Apr 27, 2019, at 08:30, Gergely Polonkai wrote:
As a related side note, i wonder how this can work with automated releases. Who and when will sign the builds?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/ssbc/patchwork/issues/836#issuecomment-487295387, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEDIZAHE4XCOPRQRZCNQNLPSRWTDANCNFSM4FKGIYZQ.
@Powersource @cinnamon-bun
Do you think this would be worth the funds? I can make an expense in OpenCollective if you're down. Just saw this article saying that the newest macOS release might not even let people open unsigned apps.
On the other hand, I'm a bit annoyed that we need to pay Apple money just to let people install Patchwork.
I'm fine with signing as long as no one has to get within a 5m radius of gpg and preferrably if we can do it for free.
What the people in this thread are asking for is just signing with any old key. That makes stuff safer for free but I don't think that's gonna help us against apple.
Is there nice documentation on how to get it to work with apple? Guessing they don't approve of letsencrypt? Can several projects share the same authorization from apple? In that case maybe we could use the same one for the entire ssbc. And maybe move the apple discussion to another issue since I'd say it's a different topic to this issue.
Most helpful comment
I assume we need to find answers to the following questions before this issue can proceed: