Open lookfirst opened 5 years ago
JulyIghor
commented
5 years ago I'm working on new auto build server and when finished I'll add GPG signature there. Another secure way to update binaries is to use builtin auto update feature. It uses hash sum encrypted by RSA2048, it's not possible to update original app using corrupt/unsigned/fake binary this way. Also update files used by secure auto update is hosted on our own server, not on sourceforge.
lookfirst
commented
5 years ago The auto update does not show me the build process. It may be a signed binary, but who knows how that binary was built or if your server was hacked? I'd like to see the build logs off the CI server, which is a bit harder to fake.
JulyIghor
commented
5 years ago Yes, all binaries are signed. Signing process is manual and build server have no access to internet.
lookfirst
commented
5 years ago Ok! That is one way to do it. =)
I really don't trust downloading a binary from sourceforge and not having sha256 sums for it as well.
Can you please figure out a more secure method of distributing the binaries?
One way would be to use a CI server to build the binary and have it upload the artifact to the github releases page. As part of the build, it could also upload the sha256 hash as a file to the releases page as well.
This would also automate the releases much more so that you could have it do this every time you tagged a new version in git.
This is super easy (and free and transparent) to automate with travis. https://docs.travis-ci.com/user/deployment/releases