Add signed checksums to releases

[iujzvbc]

It's a pity there's still no checksums to verify the integrity of the file downloaded, nor a gpg signature. It shouldn't be an "issue", but a normal process for a crypto software :-(

[lukechilds]

We're still in the closed alpha testing stage, we haven't spent much time on the build system because we have a huge amount of development work to get through. Signed checksums are planned for the official public launch, but are not a top priority at the moment.

For what it's worth, the current macOS binaries are code signed. We intentionally didn't bother with Windows because the state of code signing on Windows is an absolute nightmare.

Thanks for opening this to help us track the issue.

[iujzvbc]

If code signing on Windows is an absolute nightmare (I don't care!), please provide at least shasums for linux users ;-) Have you thought people could use these alpha releases, but don't dare to because they're not signed nore provided with shasums?

[lukechilds]

please provide at least shasums for linux users

We fully intend to.

Have you thought people could use these alpha releases, but don't dare to because they're not signed nore provided with shasums?

That's not really a big concern, we're in the alpha testing phase, not public release stage. Many things are unfinished, uncluding our release system. Satisfying all users is not a top priority right now, completing basic functionality and stability is.

Out of interest, did you dare to install Komodo, Agama or BarterDEX? None of these provide signed checksums.

[leto]

@lukechilds FYI Agama does provide SHA256 sums and that is the only reason I ever used the binaries when I was first starting out:

https://artifacts.supernet.org/latest/installer_linux.html https://artifacts.supernet.org/latest/installer_windows.html https://artifacts.supernet.org/latest/installer_osx.html

My advice is to do the simple thing and just give people a SHA to confirm, leave signing for later. I understand that OS X + Windows code signing is expensive, annoying and stupid. I feel your pain.

BarterDEX also provides SHA sums to verify: https://github.com/KomodoPlatform/BarterDEX/releases

I am not sure about Komodo because I always compile that from source.

[lukechilds]

They don't provide signed checksums.

Unsigned checksums don't prove anything. If someone has gained unauthorised access to our repo to uploaded a malicious binary they can also upload the checksums for the malicious files. They need to be signed by a trusted key to prove validity.

I will work on integrating signed checksums into our build system today.

[iujzvbc]

Thank you very much :-)

[lukechilds]

@iujzvbc @leto I've added checksums to the v0.1.0-alpha.8 release, here's an example of what it looks like:

https://github.com/hyperdexapp/hyperdex/releases/v0.1.0-alpha.8/

SHASUMS256.txt.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

d70e55190569aa02ebd5215857d68723ca207e94c6df6677aa4979f8037e05a8  HyperDEX-0.1.0-alpha.8.dmg
817ab5a8b299ad81967942f2b90a185a71cc27dc8a8f788829579500a0f2191e  HyperDEX-0.1.0-alpha.8.dmg.blockmap
4eccdf95a528afbe326c9b4f83218c893bfc222c8c3dd16fb8fb7535a1fd70a3  hyperdex-0.1.0-alpha.8-mac.zip
1bdabc5ad5cf5037ada10d2e68a36603251c1d63f3031b0753e78982f7b7d747  hyperdex-0.1.0-alpha.8-x86_64.AppImage
5e3d253efc48b8bfc404134a9268b420619d6973991fc53198f3a8bf1b4afa1c  hyperdex-0.1.0-alpha.8.x86_64.rpm
e96fe44aa94651f11d67a3a864bbb75e2623d67a4037662903b55fba814624c5  hyperdex-setup-0.1.0-alpha.8.exe
ef70e37e2541c8172db04757f2b8bf1cf4a9b018e5d883b15ee8c3677d9870a7  hyperdex-setup-0.1.0-alpha.8.exe.blockmap
4cf802d600fecfa709468797362a2ac3bc92a03c24f5c170bc20db84c1f64e75  hyperdex_0.1.0-alpha.8_amd64.deb
0b7eea7f5e18ea19a99fb48f4b61134b114405a0711bfe1978965f1af3dd5f35  hyperdex_0.1.0-alpha.8_amd64.snap
3ff56111e9c562136b2b2723d8621cba40d83e5349e28ccfd11fa34130e74945  latest-linux.yml
8675997743de7b627df82564fd333cf34143729570405116c5139ef4d2d5b62b  latest-mac.yml
4219256ac797b41935c3352c4b8100260a5c19bbebe7140e0a21a2c934f1e698  latest.yml
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE6p8E5WGh0QmH4+Lmk9YSqdYcKBoFAls54cUACgkQk9YSqdYc
KBpPZQgAgxb5Ugz1Rlcz3Vandgv2LPAslHpSIAZ/SVc+b4rQcu7PXN/iIZzOyll4
bgeMEflFUt/QloQcuTirVKMUrJ+AIYPBeetQ7B0cLioR2MnZYMBIWLlne72Ocdhh
JHCYnnJpMzed8sFlTvUNutBUu/cVCp6Os3CGcxXGTxed1fjF1sSzC4lzj9/UAyew
eC3dn9DL4qcjfdMmRZFM0I5gobRexbfOeNnfvv7ZJqIxvKfR0KttsZYQvwgBqguC
iktOvnQZWLTZiLYfQKfA0KyfGgw9Buhy7XvKUS4Z4d7U3b8cpS9N+PXiAhpPW/jG
EEtHqOF4eXWoxCLxPYkrTYDLPATgjw==
=qfaI
-----END PGP SIGNATURE-----

More info here: https://github.com/hyperdexapp/hyperdex/pull/396