Bad signature for the OS X release mention in the README #57
Comments
|
Hey, there's a bit of a misunderstanding 🙂 I sign the native application itself, the releases in this repo, because that's what I develop:
The README links to the user-contributed homebrew formula, hoping in a good faith that it will not do anything malicious and will only simplify your installation procedure. But because I have nothing to do with that homebrew formula, I don't sign @Amar1729's releases of it (and neither does he). By the way, @Amar1729 if this is supported, it would be very cool if your formula would also download my signature together with the release and verify it before installation, to prevent man-in-the-middle attack. @uri if you are using homebrew formula, I guess there's nothing you can verify. Let me know if this makes sense and if you have other questions! 🙂 |
|
@uri not a bad idea. I've linked here from an issue in my tap so other users with the same idea can see the discussion there. in short - gpg verification of upstream isn't |
The README links to the following homebrew formula:
https://github.com/Amar1729/homebrew-formulae/blob/master/browserpass.rb
Which in turn references this release:
https://github.com/Amar1729/homebrew-formulae/releases/download/browserpass-3.0.6
Using browserpass-darwin64-3.0.6.tar.gz.asc it does not verify:
$ gpg --verify browserpass-darwin64-3.0.6.tar.gz.asc browserpass-3.0.6.mojave.bottle.tar.gz gpg: Signature made Sat Apr 13 04:41:38 2019 EDT gpg: using RSA key 8053EB88879A68CB4873D32B011FDC52DA839335 gpg: BAD signature from "Maxim Baz <pgp@maximbaz.com>" [unknown]@Amar1729
The text was updated successfully, but these errors were encountered: