-
Notifications
You must be signed in to change notification settings - Fork 26
Signing Releases
The installer produced by the Azure build is signed using GnuPG, additionally, a manifest file inside the installed application records the SHA1 sum of all files in the distribution, and this manifest file is also signed with the GPG key. This mechanism allows verifying that the installer is an official build of the project, as well as verify that the installed files are the original ones.
This document describes how to verify the signature of the installer as well as the integrity of the installation files.
Why not use a signing certificate? A "proper" certificate to sign the ActivityLog2 installer and application costs money, and has to be periodically renewed, effectively making it a recurring cost. ActivityLog2 is a hobby project, and I don't want to spend money on a signing certificate.
You can retrieve the key from a key server using the command below, or, you can import the current and previous signing keys from the al2-signing-keys.asc file next to each release on GitHub. The signing key is periodically rotated, and the al2-signing-keys.asc file contains all signing keys, including expired ones. GnuPG will automatically know which key to use to verify signatures.
# Option 1: retrieve latest signing key from keyserver:
gpg --recv-keys 92A627B1E17AD1C8
# Option 2: import all signing keys from file:
gpg --import al2-signing-keys.ascThe installer is accompanied by a signature file with the same name as the installer, except that it has a .sig extension. You can use the gpg --verify command to verify the signature:
$ gpg --verify ActivityLog2Setup-2023.07.99.sig ActivityLog2Setup-2023.07.99.exe
gpg: Signature made Sun, Sep 3, 2023 1:45:01 PM WAST
gpg: using RSA key 305719E974D8A5E428A774FF92A627B1E17AD1C8
gpg: Good signature from "Alex Harsányi (ActivityLog2 Signing) <AlexHarsanyi@gmail.com>" [ultimate]
Primary key fingerprint: 3057 19E9 74D8 A5E4 28A7 74FF 92A6 27B1 E17A D1C8Aditionally, a file ending in -manifest.sig, for example ActivityLog2Setup-2023.03-manifest.sig is the signature for the manifest file packaged with the application. The manifest is named manifest-sha256.txt and is located together with the installed application. You can verify the integrity of the manifest file using gpg and verify the integrity of the installation using the commadn sha1sum -c manifest-sha256.txt.
To verify the integrity of the manifest file, open a terminal in the installation folder of the application, and use a command below. You will either need to copy the signature into the installation folder, or point GPG to the signature file downloaded from the release site:
$ gpg --verify ActivityLog2Setup-2023.07.99-manifest.sig manifest-sha256.txt
gpg: Signature made Sun, Sep 3, 2023 1:45:01 PM WAST
gpg: using RSA key 305719E974D8A5E428A774FF92A627B1E17AD1C8
gpg: Good signature from "Alex Harsányi (ActivityLog2 Signing) <AlexHarsanyi@gmail.com>" [ultimate]
Primary key fingerprint: 3057 19E9 74D8 A5E4 28A7 74FF 92A6 27B1 E17A D1C8You can check the integrity of the installed files using the command below:
sha256sum -c manifest-sha256.txt