Open chirayudesai opened 3 years ago
Uldiniad
commented
3 years ago macOS: https://artyom.dev/notarizing-go-binaries-for-macos.md#sign-your-go-binary windows: https://stackoverflow.com/a/49696454 linux: no signing needed but figuring a way to make double-click work would be nice
also keep in mind riseup: https://0xacab.org/leap/bitmask-vpn
maltfield
commented
1 year ago linux: no signing needed but figuring a way to make double-click work would be nice
Sorry, but just because an OS doesn't complain doesn't mean that there's "no signing needed"
Currently, there is no way for Linux users to cryptographically verify the authenticity and integrity of device-flasher.linux after download.
This introduces a plethora of attack vectors to users who are downloading ROMS that use device-flasher (eg CalynxOS). For a short list of historically relevant cases where such attacks have been waged against other Open Source projects and their users, see:
To provide a means for your users to verify the authenticity and integrity of device-flasher.linux after download, please
gpg or signify or similarREADME.md explaining to the user how they can verify signature of a release after downloading it@Uldiniad can we get an ETA on this for Linux?
maltfield
commented
1 year ago
The elephant in the room.
Should sign the windows binaries, to get a nicer prompt when downloading / double-clicking.
Should sign the darwin binaries, to let the gatekeeper gatekeep.