Provide .sig signature file with tar.xz releases, consider new https certificate

[ipaqmaster]

This would allow packages such as this AUR package of y-cruncher for Archlinux to verify the latest y-cruncher tar.xz from the website has not been tampered with and is intact, but in general would allow anyone to verify the package.

There is also no checksum provided so overall zero way to verify a download from the site has not been tampered with.

Are signature's and checksums something you could provide alongside the tar.xz releases?

[ipaqmaster]

I've noticed the website also supports HTTPS however uses an expired self-signed certificate which expired in 2020. Would this also be possible to mend for the above mentioned security purposes?

(If you end up signing the tar.xz's http would be safe given the verifiable content signature.)

[Mysticial]

The site isn't "supposed" to have HTTPS yet. So if it's there (functional or not), it's probably from the host or something. I never set it up. Moving the site the HTTPS is something I've wanted to do for years, but lack the time or expertise to do it.

[ipaqmaster]

Fair, I had a small feeling it may have just been a host default.

Have you thought about signing the downloadable archives on the website with a gpg key of your own? People downloading y-cruncher can verify against such a signature safely even over http. It would be particularly useful for that repo package I linked initially.

[Mysticial]

I don't know how to do that.

[eclairevoyant]

One time setup

I'm not sure which OS you work with normally, but there's a good tutorial here on creating a new key and adding it to your github account: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

That way, we can get the key from your github profile and independently verify that the package came from you and not some other 3rd party.

New steps for each release

As for signing a package, the command is something like:

gpg --detach-sign --use-agent --output 'y-cruncher.v123.tar.xz.sig'  --sign 'y-cruncher.v123.tar.xz'

(replacing the name of the xz archive, of course)

and the generated .sig file would have to be posted on your website alongside the xz file for each release.

[ipaqmaster]

That would be ideal for our package building over at the AUR as well.
Currently, there is no way at all to verify the site's downloads and the site isn't even delivering over https so somebody providing a hash themselves would also have to be hashing from the same insecure source.

[Mysticial]

Revisiting this, what I if just mirror all the y-cruncher releases as GitHub releases as well? Then you just point to there instead.

[eclairevoyant]

Works for me, thanks for taking a look!

[ipaqmaster]

That would be great actually

[Mysticial]

Latest release is now available on both my website and via GitHub: https://github.com/Mysticial/y-cruncher/releases/tag/v0.8.3.9530

[eclairevoyant]

Thanks, cheers!