It would be highly desirable if the .zip and .tar.gz files found on the Releases page were signed using GPG/PGP so that people can verify that the blobs haven't been tampered with.
Even signed commits could be useful.
As a minimum, please sha256sum the release files.
Cheers.
kseistrup
All 7 comments
The signatures should also be checked by the integrated updater.
Nutomic
on 19 Aug 2016
+1
This will prevent the use corrupt downloads from man-in-middle attacks.
DaniellMesquita
on 30 Aug 2016
@HelloZeroNet This is an important issue for security and file integrity.
See here for how-to and complete details:
https://wiki.debian.org/Creating%20signed%20GitHub%20releases
Thank you.
g4jc
on 9 Dec 2016
Since last week it possible to download and update the source code via the ZeroNet network, which verifies the data integrity by checking the signiture, but I will look at pgp signing releases
HelloZeroNet
on 9 Dec 2016
Added signing to git commits: https://github.com/HelloZeroNet/ZeroNet/commit/901478475fb15a910d3c99ccb161730b4e84ca25
HelloZeroNet
on 9 Jan 2017
FIRST SIGNED COMMIT!
MuxZeroNet
on 9 Jan 2017
Commits are now signed, :D
Closing this issue ?
ghost
on 1 Jun 2017
Related issues
blurHY
路
3Comments
wigy-opensource-developer
路
4Comments
sermont
路
3Comments
DaniellMesquita
路
3Comments
trenta3
路
3Comments
Most helpful comment
The signatures should also be checked by the integrated updater.