Page 1 of 1

PGP sign our downloads?

Posted: Fri Jun 29, 2018 12:07 pm
by cmb
Hi!

Due to recent events, I wonder whether we should sign our downloads with PGP. As it is now, we're somewhat safe against manipulations of the Github downloads, since the SHA-256 hashes are hosted on cmsimple-xh.org, so an attacker would need to get access to our website also. Nonetheless, offering additional detached PGP signatures would add another level of safety, since these are basically hashes which are bound to a certain identity. See http://www.cryptnet.net/fdp/crypto/strong_distro.html for further details.

Besides some additional work for the release managers, the only downside I can see would be that probably few (if any) of our users would verify the signs.

Re: PGP sign our downloads?

Posted: Fri Jun 29, 2018 7:23 pm
by olape
cmb wrote:
Fri Jun 29, 2018 12:07 pm
Besides some additional work for the release managers, the only downside I can see would be that probably few (if any) of our users would verify the signs.
This will probably be the same with the SHA-256 hashes. Unfortunately, such possibilities are hardly used. I'm not gutting myself.
But I don't know what we could do to animate the users to use these things.

Re: PGP sign our downloads?

Posted: Fri Jun 29, 2018 9:22 pm
by cmb
olape wrote:
Fri Jun 29, 2018 7:23 pm
But I don't know what we could do to animate the users to use these things.
Besides actually shipping malware with wrong hashes/signatures (what hopefully never happens!) – not much. At least already showing and using best practices may help a bit to push these forward. After all, it is not hard to check hashes/signatures, if one has appropriate software installed and is accustomed to its usage. The problem is rather that few users have such software, and that many OSS projects don't even offer hashes/signatures. So let's set a good example!