Comments (8)
FWIW:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Riot v1.3.4
From: https://packages.riot.im/desktop/install/macos/Riot-1.3.4.dmg
SHA256: 1fb2f2e72c488118d0c4be6a27707dc80dcaf4d8f9ca41f8c3be383c9e4be07d
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEMsk361Pa9SImG35c2FeN+Op8zxsFAl16cFoACgkQ2FeN+Op8
zxsDHQf/ZXElhn0ihFBymEQOoBp1duRhQrGGECICSWtdUzwTdEy9R5PsufrbyHAO
w7TqnCURawM+9Qap4uznRb/P4F973ouFDKT3plhaptqlyyhNMZGS/qme+TE0U08k
ImAgnNrc/XsfWRj0fDZI/Lh18MeeedJDUBWmcw0dZblKyI6f6/ZrjKyDde2pfDbz
OR1PeSAnH3Epg7ZfNyb0XoW6VunfWC3AnjeEw5Boq0jkajHmkmSdHJx8FLmLW4P6
s2udRoYto5rDOwqoMNlaB5CEXc0zFtG06vGV04DPjQTf664Jq/o2HdWRVzvodJLh
rIYFX+P0b+mBeAgjYlXxgZob3f+r+Q==
=pAuy
-----END PGP SIGNATURE-----
from element-desktop.
We prefer using code signing certificates and notarisation, any reason these are insufficient for you?
from element-desktop.
So I'm far from an expert on this stuff, but here's my take. By code signing certificates and notarization, I assume you mean the standard signing of the exe that Windows recognizes. The problem with this, as I see it, is that if your keys to do so are leaked, which has happened before with other software/drivers, that means nothing. I'm also not sure just how secure it is, i.e. if it can be faked or otherwise circumvented. All I know is that the perception is that, for a software which has security as a major "selling point," the download doesn't seem secure, as it has no (obvious) additional protections, whereas various other software does. Maybe what it has is enough, again, I'm not an expert. If that's the case, it would be nice if someone who is an expert, or at least much more knowledgeable, provides a small writeup on it, to provide reassurance.
Based on what I do know and understand about it, I feel that having PGP/GPG is a nice additional guarantee that the file hasn't been tampered with, and having a checksum is also nice since, while not as foolproof as PGP/GPG, it's significantly easier to use, and at least allows verification that the file isn't corrupt, but also provides at least moderate protection against tampering, since if the file is tampered with, it won't match. Of course, that doesn't apply if a malicious actor gains access to the site hosting the download and checksum, but that's why I prefer having them hosted on different sites/servers, so both have to be compromised in order for the checksum to fail in this regard. So done this way, it provides an extra layer of assurance with minimal knowledge and effort required to verify it. With PGP/GPG, it provides the strongest protection but is difficult to validate, and would be near impossible, for example, for me to walk someone I'm getting set up with Matrix/Element through. And simply signing it seems to be not enough, as I'm not sure if it's adequate protection against tampering, and it does nothing to validate file integrity. Checksums, done as described, seem to me to be a good middle ground.
from element-desktop.
Yes, I suppose that using platform-specific signing infrastructure for Mac and Windows is acceptable if you believe there is no risk from Apple and Microsoft certifying incorrect binaries. Users of those platforms generally trust the companies creating them, so its not unreasonable.
I also now see that packages are signed with this key for Linux:
pub rsa4096/0xD7B0B66941D01538 2019-04-15 [SC] [expires: 2024-04-13]
Key fingerprint = 12D4 CD60 0C22 40A9 F4A8 2071 D7B0 B669 41D0 1538
uid [ unknown] riot.im packages <[email protected]>
The goal is to have a platform-independent way to verify the authenticity of the software.
Ideally that key fingerprint should be posted to your website, GitHub, etc and the key itself should be signed by notable devs / others in the OpenPGP String Set.
I requested basic verification here: https://twitter.com/jonf3n/status/1749073118860030020
from element-desktop.
@jonathancross the key is published here: https://github.com/element-hq/packages.element.io/tree/master/packages.element.io and instructions on how to install it are on https://element.io/download#linux
from element-desktop.
Please consider cross-signing with devs / OpenPGP Strong Set and publishing a link to the key more visibly.
Thanks!
from element-desktop.
@t3chguy So glad that after OP went 3.5 years without responding and I took the time to write a thorough response explaining my thoughts on this, only after which OP responded, that you not only completely ignored my post, but closed both this issue and the one that I created which you said was a duplicate of this, and so now both my issue and this one are closed without actually answering any of my concerns. Is this how this repo is run?
from element-desktop.
And simply signing it seems to be not enough, as I'm not sure if it's adequate protection against tampering
A digital signature is only valid if the signed data was not modified. It provides all the benefits of a checksum plus the ability to verify they key that is saying that is the correct checksum. This means we do not need to trust the website where the checksum is published (such as github).
PGP is arguably better than Microsoft / Apple code signing because those companies (and their employees) or anyone with access to their infrastructure could execute an attack on the project. It would be hard to detect as well.
from element-desktop.
Related Issues (20)
- Allow change of installation options (install location + desktop shortcut) HOT 1
- Portable installation for Windows HOT 6
- Bug: muntipe instance of the same emoji in reaction HOT 1
- macOS - Bright sidebar on HDR screen HOT 2
- Search initialisation fails HOT 4
- ERROR: Windows and Macos "Unable to restore sesstion"
- Message search initialisation failed, check your settings for more information HOT 7
- Element Desktop does not understand config.json saved with UTF8 BOM encoding HOT 1
- Display the currently logged in user name or its name in the appropriate place for each instance. HOT 1
- Add an option to disable grouping into People and Rooms. HOT 1
- update url may incorrect (case sensitivity!) HOT 6
- Stable crashes HOT 3
- User Status Feature for Element Desktop Chat App HOT 1
- Doesn't respect font for long [Bug] [Linux] HOT 1
- Room avatar missing and files not loading HOT 10
- Some pictures are lost when exporting chat HOT 1
- SSO Icon does not show on the login page, error `401 Internal Redirect` after updating to 1.11.72 HOT 1
- Fedora 40 - general instability and random crashes HOT 1
- Element Windows lets Python, PHP, EXE scripts execute with no warning HOT 6
- Element 1.11.73 not launching on Windows 10 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from element-desktop.