search

oxen-io / oxen-core

Oxen core repository, containing oxend and oxen cli wallets
https://oxen.io
Other
317 stars 120 forks source link

Unable to verify hash of Session desktop app with provided KeeJef.asc and signatures.asc #1699

Closed ghost closed 3 months ago

ghost commented 3 months ago

I tried updating my Session app on my PC recently and was unable to verify the hashsum of my download.

Let's retrace my steps...

1) I downloaded the key provided by Oxen Team at https://github.com/oxen-io/oxen-core/blob/dev/utils/gpg_keys/KeeJef.asc .

2) I imported the key with gpg2 --import KeeJef.asc. (For those who don't know, gpg2 performs the exact same function as gpg, but some software requires using gpg2 keyring, hence my use of gpg2).

3) I downloaded the 'signatures.asc' for the version of the file I downloaded, which I got from https://github.com/oxen-io/session-desktop/releases/download/v1.13.1/signatures.asc .

4) I verified 'signatures.asc' was made using the private key that corresponds with the provided public key, using gpg2 --verify signatures.asc which produced an output that included "Good signature from..." as expected.

5) Now to verify the hash sum of the file I just downloaded, session-desktop-linux-x86_64-1.13.1.AppImage, I used sha256sum session-desktop-linux-x86_64-1.13.1.AppImage which yielded:

cc2ffaf05ca1b97abfe8681afc2535e6e93462554908d3da17251b01af05b8a9

However, the hash listed in 'signatures.asc' for this file is:

bb224fb20d049c2ac64fb7ebba339148db1e8f6d2072c25b3d3c7d0e6eca7eb3

and nowhere in 'signatures.asc' is the former hash listed, even for other formats of this version of the app.

.....

So it seems there are at least eight possibilities:

1) I downloaded the wrong key somehow,

2) The developer accidentally provided the wrong key,

3) Something is wrong with how the key got imported in my keyring due to some kind of GPG bug (there is no indication of this),

4) My key download was redirected by an attacker,

5) The signatures.asc was accidentally not updated for this version or using the correct/same key,

6) My signatures.asc download was redirected by an attacker,

7) The developer linked to the wrong app file by mistake, or

8) My download of the app file was redirected by an attacker.

I hope that the answer is at worst #4 and that this will be promptly fixed, as the entire point of relying on Session as a secure messenger is obviously undermined if the signature can't even be verified.

If I have missed something or made a mistake in any part of my verification process, please let me know.

Thanks kindly. BashFab

ghost commented 3 months ago

Posted as wrong user

ghost commented 3 months ago

Was not able to post as intended user, so re-opened. For now, BashFab's admin account will handle posts.

KeeJef commented 3 months ago

Hey @kntrktr , sorry about that, looks like the App Image wasn't fully fetched before signing. The signature was instead over a partial App Image file rather than the actual binary. This should be fixed now if you regrab the signatures and verify using the same method.

ghost commented 3 months ago

Thank you, yes, that seemed about right. I will try again now.