devrndm
commented
2 years ago Along these lines is https://theupdateframework.io/ https://theupdateframework.github.io/specification/latest/#timestamp
And see also: https://bintra.directory/ (binary transparency) Consider the case of operating system package managers - a key compromise allows replacing packages silently because package managers such as apt do not have a way to verify that the package received is the same package that everyone else receives; only that the key is trusted.
However, these tools may not be user friendly enough for widespread adoption. For example the tails project has a javascript tool for verifying the download (see: https://tails.boum.org/install/dvd-download/index.en.html "VERIFY YOUR DOWNLOAD"), because using tools like gpg is tricky when gpg itself is not available via a package manager on platforms like windows; a browser plugin for verifying/attesting downloads could crowdsource verification without relying on individual software projects to adopt anything.
rht
An experience which people who install software or download files from the WWW (as opposed to strictly via App Stores) is the complexity of trying to verify the digital data they downloaded.
Hashes
Many, many projects simply publish SHA256 checksums of binary files and call it a day. Like the Hugo static site generator on their Github Releases page:
The Go programming language itself just merely lists a hash on the webpage:
go1.17.6.linux-386.tar.gz ->
06c50fb0d44bb03dd4ea8795f9448379c5825d2765307b51f66905084c3ba541GPG signatures
Some projects also offer, in addition to the checksum, a GPG signature of the file such as Orbot Android App
This solution, while it works, requires using the cumbersome GPG software to verify the
.ascfile to verify the data as well the step of first importing the signers GPG key. Links to developers keys are often located elsewhere from the data + signature files. This is a time waste and also opens a user up to confusion (which key is the right key?).In 2016 Github implemented GPG signature verification of git commits, but this is also rather tricky to make sense of when downloading a binary.
The following projects experiment beyond the basics of the hashes or GPG verifying digital files
Electrum
One example can be found with the trusted bitcoin wallet Electrum which requires running GPG to verify the
.appimagefile with not only one, but up to 3 GPG signatures from different authors and suggests verifying more than one signature.Tails
Tails, the privacy focused operating system, implements a decently user-friendly browser based solution to this verification challenge:
Tails uses a verification checker whereby a user selects a recently downloaded tails-xxx.img` file they downloaded which is then verified via Javascript code.
EteSync
In a slightly different direction (but closer to Aqua's goals), the creator of privacy focused EteSync created a browser extension which verifies a GPG signatures of web pages for their "web app" so that a user can know if the JS code they are loading is indeed authored by the developer or a malicious third party.
Qubes OS
The security obsessed Qubes OS project publishes a git repository of: PGP keys, Security Bulletins, warrant canaries, Bitcoin fund information, and ISO digests.
Hash DBs
There have been a few attempts from cypherpunks to address this issue by creating databases of hashes and signatures.
Fact remains little has been done in the last half a decade post Snowden to make this process more intuitive and user friendly. For a truly secure and decentralized digital world being able to verify data is extremely important and should not be limited to techno elites who know how to hammer commands into a terminal.
This is where the Aqua protocol + tooling could come in...