No signature in GUI deb v1.6.4

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.

GNU General Public License v3.0

9.86k stars 486 forks source link

No signature in GUI deb v1.6.4 #1069

Closed baioc closed 7 months ago

baioc commented 7 months ago

Describe the bug The latest version (v1.6.4) of the GUI deb package is not signed.

To Reproduce

$ dpkg-sig -v -c python3-opensnitch-ui_1.6.4-1_all.deb 
Processing python3-opensnitch-ui_1.6.4-1_all.deb...
NOSIG

Expected behavior

$ dpkg-sig -v -c python3-opensnitch-ui_1.6.3-1_all.deb 
Processing python3-opensnitch-ui_1.6.3-1_all.deb...
GOODSIG _gpgorigin 858F918F2887BD809F08DDDB6CD595FEFD12DAE2 1692231631

gustavo-iniguez-goya commented 7 months ago

Hi @baioc ,

That's correct.

Now only the .changes file is signed (included in the file packages-sources-and-signatures.tar.gz). If we sign the .deb package, we brake the checksum that appears in the .changes file when building the packages.

Since someone reported that rpm pkgs were not signed, I started signing .deb packages as well. But I think it's better to just sign the .changes file, for consistency.

baioc commented 7 months ago

Alright, I thought the missing signature was a mistake. Since it isn't, I'll close this issue.

Finally, a suggestion: add an optional verification step in the installation instructions, perhaps just pointing users to your public key and the readme.txt.asc file with signed hashes of the latest release.