GPG Signatures for release binaries?

[jonathancross]

The current desktop app download page does not contain gpg signatures for binaries.

I also did not find signatures here for MacOS, etc:
https://packages.riot.im/desktop/install/macos/

Would be great to offer these.

[jonathancross]

FWIW:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Riot v1.3.4
From: https://packages.riot.im/desktop/install/macos/Riot-1.3.4.dmg
SHA256: 1fb2f2e72c488118d0c4be6a27707dc80dcaf4d8f9ca41f8c3be383c9e4be07d
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEMsk361Pa9SImG35c2FeN+Op8zxsFAl16cFoACgkQ2FeN+Op8
zxsDHQf/ZXElhn0ihFBymEQOoBp1duRhQrGGECICSWtdUzwTdEy9R5PsufrbyHAO
w7TqnCURawM+9Qap4uznRb/P4F973ouFDKT3plhaptqlyyhNMZGS/qme+TE0U08k
ImAgnNrc/XsfWRj0fDZI/Lh18MeeedJDUBWmcw0dZblKyI6f6/ZrjKyDde2pfDbz
OR1PeSAnH3Epg7ZfNyb0XoW6VunfWC3AnjeEw5Boq0jkajHmkmSdHJx8FLmLW4P6
s2udRoYto5rDOwqoMNlaB5CEXc0zFtG06vGV04DPjQTf664Jq/o2HdWRVzvodJLh
rIYFX+P0b+mBeAgjYlXxgZob3f+r+Q==
=pAuy
-----END PGP SIGNATURE-----

[t3chguy]

We prefer using code signing certificates and notarisation, any reason these are insufficient for you?

[vertigo220]

So I'm far from an expert on this stuff, but here's my take. By code signing certificates and notarization, I assume you mean the standard signing of the exe that Windows recognizes. The problem with this, as I see it, is that if your keys to do so are leaked, which has happened before with other software/drivers, that means nothing. I'm also not sure just how secure it is, i.e. if it can be faked or otherwise circumvented. All I know is that the perception is that, for a software which has security as a major "selling point," the download doesn't seem secure, as it has no (obvious) additional protections, whereas various other software does. Maybe what it has is enough, again, I'm not an expert. If that's the case, it would be nice if someone who is an expert, or at least much more knowledgeable, provides a small writeup on it, to provide reassurance.

Based on what I do know and understand about it, I feel that having PGP/GPG is a nice additional guarantee that the file hasn't been tampered with, and having a checksum is also nice since, while not as foolproof as PGP/GPG, it's significantly easier to use, and at least allows verification that the file isn't corrupt, but also provides at least moderate protection against tampering, since if the file is tampered with, it won't match. Of course, that doesn't apply if a malicious actor gains access to the site hosting the download and checksum, but that's why I prefer having them hosted on different sites/servers, so both have to be compromised in order for the checksum to fail in this regard. So done this way, it provides an extra layer of assurance with minimal knowledge and effort required to verify it. With PGP/GPG, it provides the strongest protection but is difficult to validate, and would be near impossible, for example, for me to walk someone I'm getting set up with Matrix/Element through. And simply signing it seems to be not enough, as I'm not sure if it's adequate protection against tampering, and it does nothing to validate file integrity. Checksums, done as described, seem to me to be a good middle ground.

[jonathancross]

Yes, I suppose that using platform-specific signing infrastructure for Mac and Windows is acceptable if you believe there is no risk from Apple and Microsoft certifying incorrect binaries. Users of those platforms generally trust the companies creating them, so its not unreasonable.

I also now see that packages are signed with this key for Linux:

pub   rsa4096/0xD7B0B66941D01538 2019-04-15 [SC] [expires: 2024-04-13]
      Key fingerprint = 12D4 CD60 0C22 40A9 F4A8  2071 D7B0 B669 41D0 1538
uid                   [ unknown] riot.im packages <packages@riot.im>

The goal is to have a platform-independent way to verify the authenticity of the software.

Ideally that key fingerprint should be posted to your website, GitHub, etc and the key itself should be signed by notable devs / others in the OpenPGP String Set.

I requested basic verification here: https://twitter.com/jonf3n/status/1749073118860030020

[t3chguy]

@jonathancross the key is published here: https://github.com/element-hq/packages.element.io/tree/master/packages.element.io and instructions on how to install it are on https://element.io/download#linux

[jonathancross]

Please consider cross-signing with devs / OpenPGP Strong Set and publishing a link to the key more visibly.
Thanks!

[vertigo220]

@t3chguy So glad that after OP went 3.5 years without responding and I took the time to write a thorough response explaining my thoughts on this, only after which OP responded, that you not only completely ignored my post, but closed both this issue and the one that I created which you said was a duplicate of this, and so now both my issue and this one are closed without actually answering any of my concerns. Is this how this repo is run?

[jonathancross]

And simply signing it seems to be not enough, as I'm not sure if it's adequate protection against tampering

A digital signature is only valid if the signed data was not modified. It provides all the benefits of a checksum plus the ability to verify they key that is saying that is the correct checksum. This means we do not need to trust the website where the checksum is published (such as github).

PGP is arguably better than Microsoft / Apple code signing because those companies (and their employees) or anyone with access to their infrastructure could execute an attack on the project. It would be hard to detect as well.