search

trustwallet / wallet-core

Cross-platform, cross-blockchain wallet library.
https://developer.trustwallet.com/wallet-core
Apache License 2.0
2.71k stars 1.53k forks source link

Cryptographic Signing of Releases (PGP Signatrure Verification) #3260

Open maltfield opened 1 year ago

maltfield commented 1 year ago

Feature Request

Currently it is not possible to verify the cryptographic authenticity after downloading the Trust Wallet software because the releases are not cryptographically signed.

This makes it hard for Trust Wallet users to safely obtain the Trust Wallet software, and it introduces them to supply chain attacks.

Steps to Reproduce

  1. Go to the https://github.com/trustwallet/wallet-core/releases or https://trustwallet.com/download
  2. ???

Expected Behavior

A few things are expected:

  1. I should be able to download the Trust Wallet Team's Software Release PGP Public Key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
  2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
  3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions Affected

Everything, all versions.

Use case

Installing the software securely

Suggested implementation

Cryptographic signing of all software releases with PGP

maltfield commented 1 year ago

Remember: monero's release infrastructure has already been comprimised once.

And here's a great list of historically relevant cases where this has happened to other open-source projects:

Monero is a good case study because they actually were cryptographically signing their releases with PGP. Because of this, their users had a means to detect that the software they downloaded was malicious. It was reported to the developers, and the issue was promptly resolved.

But without signing releases (as is currently the case with Trust Wallet), a user has no way to know if the software they downloaded is [a] authentic or [b] maliciously modified.