Open chirayudesai opened 3 years ago
macOS: https://artyom.dev/notarizing-go-binaries-for-macos.md#sign-your-go-binary windows: https://stackoverflow.com/a/49696454 linux: no signing needed but figuring a way to make double-click work would be nice
also keep in mind riseup: https://0xacab.org/leap/bitmask-vpn
linux: no signing needed but figuring a way to make double-click work would be nice
Sorry, but just because an OS doesn't complain doesn't mean that there's "no signing needed"
Currently, there is no way for Linux users to cryptographically verify the authenticity and integrity of device-flasher.linux
after download.
This introduces a plethora of attack vectors to users who are downloading ROMS that use device-flasher
(eg CalynxOS). For a short list of historically relevant cases where such attacks have been waged against other Open Source projects and their users, see:
To provide a means for your users to verify the authenticity and integrity of device-flasher.linux
after download, please
gpg
or signify
or similarREADME.md
explaining to the user how they can verify signature of a release after downloading it@Uldiniad can we get an ETA on this for Linux?
The elephant in the room.
Should sign the windows binaries, to get a nicer prompt when downloading / double-clicking.
Should sign the darwin binaries, to let the gatekeeper gatekeep.