search

element-hq / element-web

A glossy Matrix collaboration client for the web.
https://element.io
Apache License 2.0
10.69k stars 1.88k forks source link

Document signature verification on download page #27396

Closed maltfield closed 3 weeks ago

maltfield commented 3 weeks ago

Steps to reproduce

Steps to Reproduce

  1. Go to element download page https://element.io/download
  2. Click to download a desktop app (eg the Mac button)
  3. Scroll up & down the page looking for information on how to verify the release
  4. ???
  5. Get confused and open ticket

Outcome

What did you expect?

I expected the download page to tell me (or link me to the relevant documentation page that does tell me) how to verify the authenticity of the release cryptographically (eg with gpg) after the download completes

What happened instead?

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Operating system

All

Application version

All

How did you install the app?

https://element.io/download

Homeserver

irrelevant

Will you send logs?

No

maltfield commented 3 weeks ago

I've read that there's some signing of releases happening already, so (possibly) the only thing required is to fix the documentation telling users on all desktop platforms how they can verify their releases after downloading them

For some examples of "verifying this release" in other project's documentation, see:

  1. https://www.apache.org/info/verification.html#CheckingSignatures
  2. https://docs.featherwallet.org/guides/linux#verifying-the-download-optional
  3. https://support.torproject.org/tbb/how-to-verify-signature/
  4. https://ubuntu.com/tutorials/how-to-verify-ubuntu
  5. https://tails.net/install/expert/index.en.html#verify-key
  6. https://calyxos.org/install/verify/#additional-verification

Again, something like one of the above links should either be added directly to the downloads page or it should be clearly linked-to in the downloads page.

t3chguy commented 3 weeks ago

I've read that there's some signing of releases happening already

Yes, the app is both signed and notarised otherwise macOS would make it very difficult for you to run.

Issues for the element.io website live at https://github.com/element-hq/element.io - I don't have the ability to move it. I suggest you re-open the issue there.

maltfield commented 3 weeks ago

I'll open a ticket there, thanks.

@t3chguy In the meantime, can you please link to where I can download the PGP cryptographic signature file on releases for MacOS, Linux, and Windows?

maltfield commented 3 weeks ago

Ticket moved to: