ActivityPub server without Javascript, designed for simplicity and accessibility. Includes calendar, news and sharing economy features to empower your federated community.
Currently it is not possible to verify the authenticity or cryptographic integrity of the downoads from your website or github.com because the releases are not cryptographically signed.
This makes it hard for epicyon users to safely obtain the epicyon software, and it introduces them (and potentially their instance's users' data) to watering hole attacks.
Steps to Reproduce
Go to the this repo
Look for releases and information about verifying signatures
I should be able to download the epicyon PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
The downloads page itself should include a link to the documentation page that describes how to do the above two steps
Actual behavior: [What actually happened]
There's just literally no information on verifying downloads, and it appears that it is not possible to do so.
maltfield
commented
1 month ago
Description
Currently it is not possible to verify the authenticity or cryptographic integrity of the downoads from your website or github.com because the releases are not cryptographically signed.
This makes it hard for epicyon users to safely obtain the epicyon software, and it introduces them (and potentially their instance's users' data) to watering hole attacks.
Steps to Reproduce
Expected behavior: [What you expected to happen]
A few things are expected:
SHA256SUMS.ascfile) along with the release itselfActual behavior: [What actually happened]
There's just literally no information on verifying downloads, and it appears that it is not possible to do so.