Patchwork: Cryptographically sign releases

Created on 16 Jul 2018  Â·  15Comments  Â·  Source: ssbc/patchwork

I didn't find PGP signatures of the releases. I suppose there aren't any. Could you please sign the releases? (Or in case signatures are published, make them more discoverable.)

help wanted builds enhancement

Most helpful comment

I assume we need to find answers to the following questions before this issue can proceed:

  • [ ] Who makes the builds? (@mmckegg ?)
  • [ ] Do they already have a PGP key? (Do they want help getting this set up?)
  • [ ] Do they want help adapting the build process to automatically sign the releases with their key?
  • [ ] Where can we download their PGP public key? Can it be uploaded to keyservers, and perhaps linked on Github, and their SSB profile?
  • [ ] Is there anything else we can do to help?

All 15 comments

@Kixunil

Okay, I'll look into this. However, I am now publishing the SHA512 hashes of the builds under my ssb identity on patchwork.

My feed ID: @FbGoHeEcePDG3Evemrc+hm+S77cXKf8BRQgkYinJggg=.ed25519
Latest release: %MpOe7Tk/Bwy4El9brJgottDHPgMl/X9JjFL0JowRSB8=.sha256

If you have gpg installed, all you have to do to sign the releases (assuming the naming scheme here is run the following command

for file in Patchwork-3.11.4-*; do gpg --detach-sign $file; done

This produces the files contained in this zip file.

Yes, please sign the executables. Windows is giving a stern warning. What happens when Microsoft or the government decides that whomever wants to install Scuttlebutt must have something to hide, and therefore intercepts the installers?

image

What happens when Microsoft or the government decides that whomever wants to install Scuttlebutt must have something to hide, and therefore intercepts the installers?

Wouldn't a signature make this even easier for them to identify and block? :wink:

For what it's worth, I think both Microsoft and Apple require you to pay hundreds of dollars per year for a certificate, whereas something like PGP (or Scuttlebutt) are simple and free. It would be nice to get PGP certificates, but I don't know if that's something that Matt is interested in supporting right now (I know he's been working a ton on Patchwork lately).

:mans_shoe: :open_mouth:

Thanks for clarifying, my bad. I totally misunderstood what you meant!

The method I mentioned above will generate the gpg .asc files needed for verification, in the way described in the Tor documentation.

If you want to generate a signed pgp message recording the shasums, you can also do something like:

shasum -a 256 Patchwork-3.11.4-* | gpg --clearsign

Obviously this all depends on having gpg installed:

brew install gpg

or

aptitude install gpg

etc.

Also, you need to generate a key:

gpg gen-key

Ideally, you should keep your private key offline, or on a Yubikey type device. However, even without this level of security, pgp signing is still valuable.

Also, try to build your web of trust by meeting others in the community, and verifying and signing each other's keys.

I assume we need to find answers to the following questions before this issue can proceed:

  • [ ] Who makes the builds? (@mmckegg ?)
  • [ ] Do they already have a PGP key? (Do they want help getting this set up?)
  • [ ] Do they want help adapting the build process to automatically sign the releases with their key?
  • [ ] Where can we download their PGP public key? Can it be uploaded to keyservers, and perhaps linked on Github, and their SSB profile?
  • [ ] Is there anything else we can do to help?

Also, it would be ideal if all the node dependencies were pgp signed as described here.

@Kixunil

Okay, I'll look into this.

Hi @mmckegg

I tried to compile Patchwok but faced several problems, so I considered to download the package. Then I saw you released new versions and still can't find a PGP signature.

It would be nice to have the software signed, ideally by a package maintainer with a wide GPG-Web-of-Trust within the Free Software community.

However, I am now publishing the SHA512 hashes of the builds under my ssb identity on patchwork.

Verifying hashes on patchwork would require to first install it without having verified it. I mean it does not seem like a good solution.

What is the reason for not signing software?

Update: we're all hooked up with electron-builder and I'd love to see a pull request for code signing if anyone has the bandwidth for it. :tada:

As a related side note, i wonder how this can work with automated releases. Who and when will sign the builds?

My understanding is that Travis CI can do this automatically. We'll create a signing key and upload it to Travis as a secret environment variable, which is used by electron-builder to sign the releases.

On Sat, Apr 27, 2019, at 08:30, Gergely Polonkai wrote:

As a related side note, i wonder how this can work with automated releases. Who and when will sign the builds?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/ssbc/patchwork/issues/836#issuecomment-487295387, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEDIZAHE4XCOPRQRZCNQNLPSRWTDANCNFSM4FKGIYZQ.

@Powersource @cinnamon-bun

Do you think this would be worth the funds? I can make an expense in OpenCollective if you're down. Just saw this article saying that the newest macOS release might not even let people open unsigned apps.

On the other hand, I'm a bit annoyed that we need to pay Apple money just to let people install Patchwork.

I'm fine with signing as long as no one has to get within a 5m radius of gpg and preferrably if we can do it for free.

What the people in this thread are asking for is just signing with any old key. That makes stuff safer for free but I don't think that's gonna help us against apple.

Is there nice documentation on how to get it to work with apple? Guessing they don't approve of letsencrypt? Can several projects share the same authorization from apple? In that case maybe we could use the same one for the entire ssbc. And maybe move the apple discussion to another issue since I'd say it's a different topic to this issue.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

cinnamon-bun picture cinnamon-bun  Â·  4Comments

skippednote picture skippednote  Â·  6Comments

slinlee picture slinlee  Â·  4Comments

cblgh picture cblgh  Â·  8Comments

cinnamon-bun picture cinnamon-bun  Â·  4Comments