Please could you PGP sign the binary releases?

[telomere]

I'd really appreciate if you could PGP sign the releases. It would give peace of mind that nothing funny could happen between the server and enduser. [1] A sha256 checksum to verify them would be great too. Thanks.

[1] http://arstechnica.com/security/2015/02/psa-your-crypto-apps-are-useless-unless-you-check-them-for-backdoors/

[gorhill]

gorhill/uBlock#521

[telomere]

I'm not sure that reproducible builds is entirely the same, is it? I can't compile code.
I'd just like to see the release builds GPG signed so I can be sure I've downloaded what the developer complied.

[gorhill]

Well essentially you are asking me to go back to the work load I had before using Travis to relieve me from that work load, because with your view, we can't trust Travis either.

[chrisaljoudi]

@telomere it's also worth noting that there's not much "compilation" per se going on. It's all just packed JavaScript (I believe it's not even minified), and you can just unpack the extension to look at all the source.

So it's not a binary in the strict sense anyway.

[ghost]

What about adding a checksum for the xpi ?

[chrisaljoudi]

@Zylinder @telomere .xpi stands for zippy, by the way. You can literally just unzip it.

[gorhill]

What about adding a checksum for the xpi ?

That's what #521 is about.

OP is essentially asking me to increase my workload to build everything locally, create a hash out of the result, and to upload the result. What I was doing before and which is time consuming.

Best is for OP to mirror the repo on his side, review the code thoroughly to his satisfaction, and build the extension himself. After this, it will be a matter of importing and reviewing changes.

[telomere]

Wow!
I not a developer. But to sign a zip file takes me 5 seconds. Literally 5 seconds.
I was guessing that developers could have some kind of fancy automated way to sign files that could be added to the development workflow - I guess not.

But even doing it manually, 5 seconds is hardly an unbearable burden?
Anyway you don't ask you don't get. Just thought I'd ask.

[gorhill]

Yes, launching shasum takes 5 seconds. Manually creating a release entry on Github and uploading the ZIP files and copy/pasting the hashes in the description does not take 5 seconds.

The way it is automated now, I just type git push origin [version], and it's all done for me, thanks to Travis.

[telomere]

No problem. Thanks for creating uBlock.

[BenjaminProgram]

Which browser do you use? If you use either Chrome or Firefox you can just unzip it and verify it against the code. I don't know about other browsers though.