search

element-hq / element.io

Public issue tracker for the element.io site
4 stars 4 forks source link

Document signature verification on download page #69

Open maltfield opened 4 months ago

maltfield commented 4 months ago

Steps to reproduce

Steps to Reproduce

  1. Go to element download page https://element.io/download
  2. Click to download a desktop app (eg the Mac button)
  3. Scroll up & down the page looking for information on how to verify the release
  4. ???
  5. Get confused and open ticket

Outcome

What did you expect?

I expected the download page to tell me (or link me to the relevant documentation page that does tell me) how to verify the authenticity of the release cryptographically (eg with gpg) after the download completes

What happened instead?

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Operating system

All

Application version

All

How did you install the app?

https://element.io/download

Homeserver

irrelevant

Will you send logs?

No

maltfield commented 4 months ago

I've read that there's some signing of releases happening already, so (possibly) the only thing required is to fix the documentation telling users on all desktop platforms how they can verify their releases after downloading them

For some examples of "verifying this release" in other project's documentation, see:

  1. https://www.apache.org/info/verification.html#CheckingSignatures
  2. https://docs.featherwallet.org/guides/linux#verifying-the-download-optional
  3. https://support.torproject.org/tbb/how-to-verify-signature/
  4. https://ubuntu.com/tutorials/how-to-verify-ubuntu
  5. https://tails.net/install/expert/index.en.html#verify-key
  6. https://calyxos.org/install/verify/#additional-verification

Again, something like one of the above links should either be added directly to the downloads page or it should be clearly linked-to in the downloads page.

maltfield commented 4 months ago

Ticket moved from original here, as requested: