Wire-desktop: How to verify integrity and authenticity of downloaded application?
Hi, I am looking all over the web page, but I cannot find SHA256 (or similar) sums for downloaded applications so that I would be able to verify their integrity and authenticity (on Linux, which I use, that would be with tools like sha256sum and gpg or similar). Something like Linux Mint has on their web page (and let us not forget that hackers hacked their servers and planted their version of ISO file) or Ubuntu Linux on theirs (https://linuxmint.com/verify.php and https://www.ubuntu.com/download/how-to-verify).
So, how can I verify that I have downloaded correct version of application, i.e. that I have not downloaded version that was in any way manipulated by third side (and planted on a web page in a download section)?
dosvarog
All 11 comments
Go to wire.com/download and hover on 'Details'.
raphaelrobert
on 30 Mar 2017
I wonder if it's possible to add a PGP-signed file containing checksums directly to the github releases page. Have a look here for an example, note the file sha256sum.txt.asc.
By the way, there is no Details to hover for source code or Linux releases on the https://wire.com/download page.
maximbaz
on 30 Mar 2017
@maximbaz Nice idea!
@raphaelrobert Yes, thank you, I see it (for Android and Windows), but as @maximbaz said, there is no checksum for either .deb or AppImage (I know it says on the page that Linux build is experimental, but still, checksums would be very nice). I just saw someone added a commit for that. I guess, now it only needs to be put on a web site.
dosvarog
on 31 Mar 2017
Thanks, we are looking to improve things for linux.
raphaelrobert
on 31 Mar 2017
Actually, there are two questions:
- How to verify this electron app?
- How to verify crypto and UI code that is downloaded by electron every time wire app is started?
In main.js, starting with line 122 we see that code that handles all of your security is downloaded every time wire app is run.
This code can be new every time. There is no point in checking electron's app integrity, when it dutifully executes anything that comes from wire's server, with nodeIntegration = true !
Issue 17 still stands.
If someone hacks wire's server, they can serve code, which in electron, with nodeIntegration = true, owns you. Running the same malicious code in browser, with full browser sandbox is safer.
By the way, @raphaelrobert , like many, you, wire guys may not be aware that sandbox = true option is now available, since September 2016. Place crypto in main, and isolate UI in a sandbox. You, guys, can do it now! Let's fix issue 17.
3n-mb
on 10 Apr 2017
Thanks! This is currently work in progress. We are looking into ways to improve this.
raphaelrobert
on 10 Apr 2017
Some improvements for Linux users: https://medium.com/@wireapp/a-step-forward-for-wire-for-linux-52f0538cac15.
raphaelrobert
on 18 Apr 2017
Is there a link to the PGP key?
Where are the signatures for this?
reelsense
on 24 Jan 2018
@reelsense
there is no point in verifying app code, cause it will run any code that comes from wire servers allowing it to do anything on your machine nodeIntegration: true.
You are asking for a security theater, only. Ask for a structural change, in which signatures will have an actual value.
3n-mb
on 24 Jan 2018
ROFL. Nice.
Electron FTW 馃槃
reelsense
on 24 Jan 2018
@reelsense
Don't jump too fast to saying that Electron's apps in general are insecure. Not at all. It is only an amateurishly lazy approach to framing websites into apps that is bad. In general, electron may handle untrusted active code in renderer, while keeping sensitive things in main process. You can't do this in C, C++, Java, .Net, Rust. Only browser's tech creates a wrapping thing that is on user's side. Praise Electron :pray:
3n-mb
on 24 Jan 2018
Related issues
Sopsy
路
3Comments
notNSANE
路
4Comments
cardassian-tailor
路
4Comments
Nuruddinjr
路
4Comments
tokariu
路
3Comments
Most helpful comment
Actually, there are two questions:
In main.js, starting with line 122 we see that code that handles all of your security is downloaded every time wire app is run.
This code can be new every time. There is no point in checking electron's app integrity, when it dutifully executes anything that comes from wire's server, with
nodeIntegration = true!Issue 17 still stands.
If someone hacks wire's server, they can serve code, which in electron, with
nodeIntegration = true, owns you. Running the same malicious code in browser, with full browser sandbox is safer.By the way, @raphaelrobert , like many, you, wire guys may not be aware that
sandbox = trueoption is now available, since September 2016. Place crypto in main, and isolate UI in a sandbox. You, guys, can do it now! Let's fix issue 17.