Comments (8)
FWIW:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Riot v1.3.4
From: https://packages.riot.im/desktop/install/macos/Riot-1.3.4.dmg
SHA256: 1fb2f2e72c488118d0c4be6a27707dc80dcaf4d8f9ca41f8c3be383c9e4be07d
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEMsk361Pa9SImG35c2FeN+Op8zxsFAl16cFoACgkQ2FeN+Op8
zxsDHQf/ZXElhn0ihFBymEQOoBp1duRhQrGGECICSWtdUzwTdEy9R5PsufrbyHAO
w7TqnCURawM+9Qap4uznRb/P4F973ouFDKT3plhaptqlyyhNMZGS/qme+TE0U08k
ImAgnNrc/XsfWRj0fDZI/Lh18MeeedJDUBWmcw0dZblKyI6f6/ZrjKyDde2pfDbz
OR1PeSAnH3Epg7ZfNyb0XoW6VunfWC3AnjeEw5Boq0jkajHmkmSdHJx8FLmLW4P6
s2udRoYto5rDOwqoMNlaB5CEXc0zFtG06vGV04DPjQTf664Jq/o2HdWRVzvodJLh
rIYFX+P0b+mBeAgjYlXxgZob3f+r+Q==
=pAuy
-----END PGP SIGNATURE-----
from element-desktop.
We prefer using code signing certificates and notarisation, any reason these are insufficient for you?
from element-desktop.
So I'm far from an expert on this stuff, but here's my take. By code signing certificates and notarization, I assume you mean the standard signing of the exe that Windows recognizes. The problem with this, as I see it, is that if your keys to do so are leaked, which has happened before with other software/drivers, that means nothing. I'm also not sure just how secure it is, i.e. if it can be faked or otherwise circumvented. All I know is that the perception is that, for a software which has security as a major "selling point," the download doesn't seem secure, as it has no (obvious) additional protections, whereas various other software does. Maybe what it has is enough, again, I'm not an expert. If that's the case, it would be nice if someone who is an expert, or at least much more knowledgeable, provides a small writeup on it, to provide reassurance.
Based on what I do know and understand about it, I feel that having PGP/GPG is a nice additional guarantee that the file hasn't been tampered with, and having a checksum is also nice since, while not as foolproof as PGP/GPG, it's significantly easier to use, and at least allows verification that the file isn't corrupt, but also provides at least moderate protection against tampering, since if the file is tampered with, it won't match. Of course, that doesn't apply if a malicious actor gains access to the site hosting the download and checksum, but that's why I prefer having them hosted on different sites/servers, so both have to be compromised in order for the checksum to fail in this regard. So done this way, it provides an extra layer of assurance with minimal knowledge and effort required to verify it. With PGP/GPG, it provides the strongest protection but is difficult to validate, and would be near impossible, for example, for me to walk someone I'm getting set up with Matrix/Element through. And simply signing it seems to be not enough, as I'm not sure if it's adequate protection against tampering, and it does nothing to validate file integrity. Checksums, done as described, seem to me to be a good middle ground.
from element-desktop.
Yes, I suppose that using platform-specific signing infrastructure for Mac and Windows is acceptable if you believe there is no risk from Apple and Microsoft certifying incorrect binaries. Users of those platforms generally trust the companies creating them, so its not unreasonable.
I also now see that packages are signed with this key for Linux:
pub rsa4096/0xD7B0B66941D01538 2019-04-15 [SC] [expires: 2024-04-13]
Key fingerprint = 12D4 CD60 0C22 40A9 F4A8 2071 D7B0 B669 41D0 1538
uid [ unknown] riot.im packages <[email protected]>
The goal is to have a platform-independent way to verify the authenticity of the software.
Ideally that key fingerprint should be posted to your website, GitHub, etc and the key itself should be signed by notable devs / others in the OpenPGP String Set.
I requested basic verification here: https://twitter.com/jonf3n/status/1749073118860030020
from element-desktop.
@jonathancross the key is published here: https://github.com/element-hq/packages.element.io/tree/master/packages.element.io and instructions on how to install it are on https://element.io/download#linux
from element-desktop.
Please consider cross-signing with devs / OpenPGP Strong Set and publishing a link to the key more visibly.
Thanks!
from element-desktop.
@t3chguy So glad that after OP went 3.5 years without responding and I took the time to write a thorough response explaining my thoughts on this, only after which OP responded, that you not only completely ignored my post, but closed both this issue and the one that I created which you said was a duplicate of this, and so now both my issue and this one are closed without actually answering any of my concerns. Is this how this repo is run?
from element-desktop.
And simply signing it seems to be not enough, as I'm not sure if it's adequate protection against tampering
A digital signature is only valid if the signed data was not modified. It provides all the benefits of a checksum plus the ability to verify they key that is saying that is the correct checksum. This means we do not need to trust the website where the checksum is published (such as github).
PGP is arguably better than Microsoft / Apple code signing because those companies (and their employees) or anyone with access to their infrastructure could execute an attack on the project. It would be hard to detect as well.
from element-desktop.
Related Issues (20)
- Cannot escape call window once fullscreened HOT 2
- Uploading a video always fails HOT 3
- Video Upload always fails in Element HOT 8
- App crashes, when clicking on the "spaces-arrow" in the sidebar HOT 1
- Unwanted "Help me write" Google integration, perhaps related to Google Gemini HOT 3
- Element Nightly: Message search initialisation failing HOT 2
- "Missing session data" screen: Logout button not working HOT 1
- Visual accessibility: Font size, UI scaling HOT 1
- Unable to access microphone a second time after making a call HOT 2
- "Missing Session Data" error HOT 3
- Element echoes even everything is set up properly HOT 1
- v1.11.68 upgrade causes a disconnection when you attempt to share your screen HOT 4
- v1.11.68 update causes Element window to move upwards and left when toggling visibility HOT 1
- Unable to search fully in one encrypted private room HOT 1
- Manual verification fails due to erroneous e2ee disabled message HOT 4
- Fixing blank screen on Windows HOT 1
- force auto-raise/focus-pull on new notification HOT 2
- Custom font resets when changing between light/dark mode HOT 1
- Any official distribution channel supporting most popular Linux distros (AppImage, Flatpak, binary installer, anything) HOT 3
- Notifications are shown for every single new message received after turning monitor off (Win10) HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from element-desktop.