Open maltfield opened 5 months ago
We provide sha256 sum files:
And Sourceforge provides these hashes as well:
I see that some BlissOS releases have a cooresponding .sha
file.
That file is empty but, regardless, hashes do not provide security, unless those hashes are cryptographic hash functions (eg not sha1) and those are signed. Hashes without signatures protect against download corruption; they do not provide any security.
An example attack that would be protected by signatures is a publishing infrastructure compromise. Remember: monero's release infrastructure has already been comprimised once. And here's a great list of historically relevant cases where this happened:
@electrikjesus this ticket is to address security (authenticity), not corruption (integrity).
I also recommend adding a KEYS
file to the root of your repo (located along-side files like COPYING
and AUTHORS
), per the KEYS standard established by Apache
For more best-practices, see also:
Describe the feature
Description
Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from sourceforge.net (or seemingly any other domain) because the releases are not cryptographically signed.
This makes it hard for BlissOS users to safely obtain BlissOS, and it introduces them to watering hole attacks.
Steps to Reproduce
Download
button in the top-right of the headerExpected behavior: [What you expected to happen]
A few things are expected:
SHA256SUMS.asc
file) along with the release itselfActual behavior: [What actually happened]
There's just literally no information on verifying downloads, and it appears that it is not possible to do so.
Links to commits (if applicable)
No response
Additional information or screenshots
No response