delta1
commented
2 years ago Thanks @AaronFeickert great feedback. I agree the hashes should certainly be signed by a maintainer key for each release.
Reproducible builds are a priority, although I think rust still has a number of issues related to that.
I propose in the short term we do the following:
- release is tagged, hashes are checked by a maintainer and then signed with their key
- those hashes and signature are updated manually on the tari website downloads page/s
Then we shoud begin investigating what actual issues we have making builds reproducible.
AaronFeickert
Binary hashes on the downloads page appear to be served from the same external location as the binaries themselves, and are unsigned. An attacker able to substitute its own binaries or alter the download links could simply provide its own matching hashes.
If the intent is to use the hashes to provide a degree of certainty to users that binaries are legitimate, one of the following may be useful:
Looking into the use of reproducible builds is another approach that also addresses the case of a malicious build differing from source.
If the intent is simply to detect network errors while downloading the binaries, it should be made clear to users that this is the case, and that the current approach cannot detect malicious binary substitution. This pull request makes such a change to the documentation. Alternatively, the hashes could simply be removed to avoid user confusion.