Implement PGP code signing key for releases

[digicase]

I would like to be able to verify that the Maestral code I download matches the code that was released. Maestral handles personal data, which for me makes it important to know that the software I install to handle this data can be somewhat trusted.

As an example, Mullvad has a page detailing how to use their signing key and GPG to verify the downloaded file from the Mullvad website before installing it.

https://mullvad.net/en/help/verifying-signatures/

[samschott]

@digicase, the macOS App Bundle is signed with an Apple Developer Certificate and notarised. This includes all dependencies and libraries contained in the package, including the Python library itself. On newer macOS versions, the signature is checked by Gatekeeper each time the app is launched. On older macOS versions, Gatekeeper checks are only run on first launch.

Outside of the macOS App Bundle, Maestral is distributed as a Python package and signing those is not standard practice because:

1. It provides limited value without all of its dependencies being signed as well.
2. There is no platform support for automatically checking code signatures, e.g., by the Python runtime on import, or by pip when installing a package.
3. There is no central authority on who to trust for which package.

That being said, I can see some limited value in uploading a GPG signature to PyPI alongside the wheels.

[samschott]

Ok, the next PyPI release will be signed. The public key can be downloaded from Maestral's website, hosted on GitHub pages: http://maestral.app/sam_schott_47F0A99C_public.asc

You can already download a signed wheel for v1.7.2.dev0 from https://pypi.org/project/maestral/1.7.2.dev0/:

Wheel: https://files.pythonhosted.org/packages/d9/54/4f7038c915a32456d4c85f294f198e6cfa0e2a1cbe36e9c42797d960051d/maestral-1.7.2.dev0-py3-none-any.whl Signature: https://files.pythonhosted.org/packages/d9/54/4f7038c915a32456d4c85f294f198e6cfa0e2a1cbe36e9c42797d960051d/maestral-1.7.2.dev0-py3-none-any.whl.asc

[samschott]

A PR to document this in the README and / or the website (https://maestral.app/docs/installation) would be welcome :)

[samschott]

Though following my comments above, don't let this fool you into a false sense of security.

[digicase]

Thanks for the fast response to this. I was under the impression that only App Store releases were signed with the developer certificate, and software downloaded outside the App Store was not able to utilise the Apple tools like Gatekeeper. It's good to know that is not the case.

I'll take a look at a PR for getting this documented on the website and README.

[samschott]

No worries, is always easy to respond to an issue if there is almost nothing to do :)

Btw, https://support.apple.com/en-us/HT202491 lays out security checks done by macOS before running an app.

[digicase]

Sorry to add on to this after it has been closed. I upgraded to the latest version on MacOS and the app Little Snitch showed this warning. Is this due to a change of identifier as Little Snitch suggests?

[samschott]

Yes, indeed, I've changed the identifier from com.samschott.maestral-cocoa to just com.samschott.maestral.