New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide .sig signature file with tar.xz releases, consider new https certificate #32
Comments
I've noticed the website also supports HTTPS however uses an expired self-signed certificate which expired in 2020. Would this also be possible to mend for the above mentioned security purposes? (If you end up signing the tar.xz's http would be safe given the verifiable content signature.) |
The site isn't "supposed" to have HTTPS yet. So if it's there (functional or not), it's probably from the host or something. I never set it up. Moving the site the HTTPS is something I've wanted to do for years, but lack the time or expertise to do it. |
Fair, I had a small feeling it may have just been a host default. Have you thought about signing the downloadable archives on the website with a gpg key of your own? People downloading y-cruncher can verify against such a signature safely even over http. It would be particularly useful for that repo package I linked initially. |
I don't know how to do that. |
One time setupI'm not sure which OS you work with normally, but there's a good tutorial here on creating a new key and adding it to your github account: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key That way, we can get the key from your github profile and independently verify that the package came from you and not some other 3rd party. New steps for each releaseAs for signing a package, the command is something like:
(replacing the name of the xz archive, of course) and the generated |
That would be ideal for our package building over at the AUR as well. |
Revisiting this, what I if just mirror all the y-cruncher releases as GitHub releases as well? Then you just point to there instead. |
Works for me, thanks for taking a look! |
That would be great actually |
Latest release is now available on both my website and via GitHub: https://github.com/Mysticial/y-cruncher/releases/tag/v0.8.3.9530 |
Thanks, cheers! |
This would allow packages such as this AUR package of y-cruncher for Archlinux to verify the latest y-cruncher tar.xz from the website has not been tampered with and is intact, but in general would allow anyone to verify the package.
There is also no checksum provided so overall zero way to verify a download from the site has not been tampered with.
Are signature's and checksums something you could provide alongside the tar.xz releases?
The text was updated successfully, but these errors were encountered: