search

chenxiaolong / BCR

A Basic Call Recorder for rooted Android devices
GNU General Public License v3.0
1.5k stars 98 forks source link

suggestion: verifying bcr.zip also by checksum #499

Closed R44D44 closed 4 months ago

R44D44 commented 4 months ago

hi, after searching half an hour for an easy way to verify your releases via .sig file, i'd like to suggest to post some checksums @ the release page as well. thank you. the README.md and verifying the digital signatures does not really help me.

chenxiaolong commented 4 months ago

I can start adding checksums for future releases, though please note that checksums are only good for verifying if the download was corrupted.

In the unlikely event that, for example, my Github account is compromised and somebody uploads malware, the only way to know that the file is legitimate is with the digital signatures.

R44D44 commented 4 months ago

as said i searched for "ssh verify .sig" and similar and could not find an easy way. if you know one, maybe add it to the README.md and verifying the digital signatures

chenxiaolong commented 4 months ago

I'm not sure if there's a user friendly GUI way to do it. But the commands from the README should work on Linux, Windows, and Mac without installing anything. (Android with the Termux app should work as well, but I haven't personally tested it.)

R44D44 commented 4 months ago

"But the commands from the README should work on ...Windows..." well, to me its not so easy. and sorry in case it bothers you. certainly this applies to any .sig file "To verify the signature of the zip file, first retrieve the public key". first: it is not obvious to me how to retrieve it. and what to do with it second: "gpg: keyserver receive failed: No keyserver available"

chenxiaolong commented 4 months ago

Can you post a link to the README you're looking at? There shouldn't be anything related to GPG if you're looking at the latest README. That was indeed more painful and I stopped signing with GPG after BCR version 1.30.

R44D44 commented 4 months ago

README i installed Gpg4win and used it unsuccessfully, also powershell with gpg --recv-key 2233C479609BDCEC43BE9232F6A3B19090EFF32C.

chenxiaolong commented 4 months ago

Yep, that's a really old version of the README. The latest one is at https://github.com/chenxiaolong/BCR and no longer involves GPG.

R44D44 commented 4 months ago

back to #1 [verifying the digital signatures](verifying the digital signatures does not really help me) does not really help me. "First save the public key to a file that lists which keys should be trusted." - how? where?

chenxiaolong commented 4 months ago

I pushed e5c5ebe7918ecafc7f8f3179009dfdd5abaf09b5 to try and clarify that. The command right below that line does it.

R44D44 commented 4 months ago

well, i am close to giving up. i dont get what you are trying to say. "The command right below that line does it." does what? i opened powershell window in the directory where BCR-1.60-release.zip. + zip.sig are located. i paste echo 'bcr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOe6/tBnO7xZhAWXRj3ApUYgn+XZ0wnQiXM8B7tPgv4' > bcr_trusted_keys enter no reaction i paste ssh-keygen -Y verify -f bcr_trusted_keys -I bcr -n file -s BCR-1.60-release.zip.sig < BCR-1.60-release.zip enter and get

At line:1 char:85
+ ... bcr_trusted_keys -I bcr -n file -s BCR-1.60-release.zip.sig < BCR-1.6 ...
+                                                                 ~
The '<' operator is reserved for future use.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : RedirectionNotSupported
chenxiaolong commented 3 months ago

You did everything right. Looks like I find a Windows machine to figure out why powershell doesn't like the command.

chenxiaolong commented 3 months ago

Got access to a Windows system. I've updated the README so that the instructions now work on Windows: https://github.com/chenxiaolong/BCR#verifying-zip-file-signature.

R44D44 commented 3 months ago

i used copy function of it, pasted it into powershell and got

PS D:\Eigene Dateien\pcloud\Androidessentials> echo 'bcr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOe6/tBnO7xZhAWXRj3ApUYgn+XZ0wnQiXM8B7tPgv4' | Out-File -Encoding ascii bcr_trusted_keys
>>
>> Start-Process -Wait -NoNewWindow -RedirectStandardInput BCR-<version>-release.zip ssh-keygen -ArgumentList "-Y verify -f bcr_trusted_keys -I bcr -n file -s BCR-<version>-release.zip.sig"
Start-Process : This command cannot be run because either the parameter "RedirectStandardInput 'D:\Eigene
Dateien\pcloud\Androidessentials\BCR-<version>-release.zip'" has a value that is not valid or cannot be used with this
command. Give a valid input and Run your command again.
At line:3 char:1
+ Start-Process -Wait -NoNewWindow -RedirectStandardInput BCR-<version> ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], FileNotFoundException
    + FullyQualifiedErrorId : FileNotFoundException,Microsoft.PowerShell.Commands.StartProcessCommand
R44D44 commented 3 months ago

why dont you just post additional checksums as you said 3 weeks ago testing code starts to annoy me.