Skip to content
Permalink
Browse files

Update docs re. build infrastructure and releases

  • Loading branch information...
crwood committed Mar 13, 2019
1 parent 5297b54 commit 270f5fae607722186995739df0bb1b1193e668c0
Showing with 11 additions and 13 deletions.
  1. +10 −12 README.rst
  2. +1 −1 docs/verifying-signatures.md
@@ -63,14 +63,12 @@ Installation and running:

**Stable releases:**

Downloads for "stable" releases of Gridsync can be found on the project's `GitHub Releases page`_ and include pre-built/binary distrubitions for all three major desktop platforms. Users wishing to install these packages are strongly urged to `verify their signatures`_ before running and should additionally take into consideration the fact that these packages are presently compiled by third-party services (namely `Travis-CI`_ and `AppVeyor`_). As a result -- and until reproducible builds have been fully implemented -- some users may wish instead to build or install Gridsync manually from source (see below).
Downloads for "stable" releases of Gridsync can be found on the project's `GitHub Releases page`_ and include pre-built/binary distrubitions for all three major desktop platforms that have been compiled inside dedicated virtual machines on dedicated hardware. Users wishing to install these packages are strongly urged to `verify their signatures`_ before running or, alternatively, to build/install Gridsync manually from source (see below).

.. _GitHub Releases page: https://github.com/gridsync/gridsync/releases
.. _verify their signatures: https://github.com/gridsync/gridsync/blob/master/docs/verifying-signatures.md
.. _Travis-CI: https://travis-ci.org/gridsync/gridsync
.. _AppVeyor: https://ci.appveyor.com/project/crwood/gridsync

To install and run Gridsync on GNU/Linux (tested on Debian 8 and Fedora 23; 64-bit only):
To install and run Gridsync on GNU/Linux (64-bit only; supporting glibc 2.17 and above -- including Debian 8+, Ubuntu 14.04+, CentOS 7+, and Fedora 29+):

1. Download `Gridsync-Linux.tar.gz`_ (and `verify`_ its signature)
2. Extract the enclosed "Gridsync" directory anywhere (``tar xvf Gridsync-Linux.tar.gz``)
@@ -79,27 +77,27 @@ To install and run Gridsync on GNU/Linux (tested on Debian 8 and Fedora 23; 64-b
.. _Gridsync-Linux.tar.gz: https://github.com/gridsync/gridsync/releases
.. _verify: https://github.com/gridsync/gridsync/blob/master/docs/verifying-signatures.md

To install and run Gridsync on macOS (version 10.11 or later):
To install and run Gridsync on macOS (64-bit only; supporting macOS 10.12 "Sierra" and above):

1. Download `Gridsync-Mac.dmg`_ (and `verify`_ its signature)
1. Download `Gridsync-macOS.dmg`_ (and `verify`_ its signature)
2. Drag the enclosed "Gridsync.app" bundle anywhere (e.g., ``~/Applications``)
3. Double-click ``Gridsync.app``

Users on older Macs can alternatively try `Gridsync-Mac-Legacy.dmg`_ (which has been tested to work on 2009-era hardware with versions of macOS as old as 10.9).
Users on older Macs can alternatively try `Gridsync-macOS-Legacy.dmg`_ (which has been tested to work on 2009-era hardware with versions of macOS as old as 10.9).

.. _Gridsync-Mac.dmg: https://github.com/gridsync/gridsync/releases
.. _Gridsync-macOS.dmg: https://github.com/gridsync/gridsync/releases
.. _verify: https://github.com/gridsync/gridsync/blob/master/docs/verifying-signatures.md
.. _Gridsync-Mac-Legacy.dmg: https://github.com/gridsync/gridsync/releases
.. _Gridsync-macOS-Legacy.dmg: https://github.com/gridsync/gridsync/releases

To install and run Gridsync on Windows (tested on Windows 7 SP1, Windows 8.1, and Windows 10):
To install and run Gridsync on Windows (64-bit only; supporting Windows Server 2012R2, Windows 7 SP1, Windows 8.1, and Windows 10):

1. Download `Gridsync-setup.exe`_ (and `verify`_ its signature)
1. Download `Gridsync-Windows-setup.exe`_ (and `verify`_ its signature)
2. Run the executable installer and follow/complete the setup wizard
3. Select "Launch Gridsync" when installation is finished

Alternatively, Windows users who do not wish to use the executable installer can download and verify `Gridsync-Windows.zip`_, extract the enclosed "Gridsync" folder anywhere, and run `Gridsync.exe`.

.. _Gridsync-setup.exe: https://github.com/gridsync/gridsync/releases
.. _Gridsync-Windows-setup.exe: https://github.com/gridsync/gridsync/releases
.. _verify: https://github.com/gridsync/gridsync/blob/master/docs/verifying-signatures.md
.. _Gridsync-Windows.zip: https://github.com/gridsync/gridsync/releases

@@ -14,7 +14,7 @@ Why are digital signatures important?

While a letter signed with a pen on paper might provide a weak indication of that letter's _authenticity_, digital signatures, when used correctly, can provide stronger, cryptographic proof of a file's _authenticity_ as well as its _integrity_. In other words, a properly verified signature provides a high degree of assurance both a) that the file in question came from the person(s) who signed it and b) that the file in question has not been altered after the fact. The act of verifying a digital signature can thus allow users detect whether or not an application has been forged or tampered with by potentially-malicious third parties.

It is important to note, however, that verified digital signatures provide no guarantee that the underlying application is not malicious, nor that it is free of bugs. It may be possible, for example, for an especially determined attacker to compromise the computer of a software developer and proceed to "sign" malicious applications on their behalf or to insert malicious code into another program or computer upon which an application might depend. In the case of Gridsync, measures have been taken to drastically reduce the likelihood of the first type of compromise (in this case, by generating the original [Gridsync Release Signing Key](https://raw.githubusercontent.com/gridsync/gridsync/master/release-signing-key.asc) on a computer that is unable to connect to the Internet and requiring a unique write-only hardware device to sign subsequent releases), however, it remains possible that malicious code or "backdoors" could still be inserted into the application through other means (for example, by a sophisticated attacker who might stealthily compromise one of the third party services that Gridsync currently depends on – namely [GitHub](https://github.com), [Travis-CI](https://travis-ci.org/), or [AppVeyor](https://www.appveyor.com/)). Accordingly, it is ultimately up to the user to decide whether or not any given application should be considered "trusted" independently of the presence of a verified digital signature.
It is important to note, however, that verified digital signatures provide no guarantee that the underlying application is not malicious, nor that it is free of bugs. It may be possible, for example, for an especially determined attacker to compromise the computer of a software developer and proceed to "sign" malicious applications on their behalf or to insert malicious code into another program or computer upon which an application might depend. In the case of Gridsync, measures have been taken to drastically reduce the likelihood of the first type of compromise (in this case, by generating the original [Gridsync Release Signing Key](https://raw.githubusercontent.com/gridsync/gridsync/master/release-signing-key.asc) on a computer that is unable to connect to the Internet and requiring a unique write-only hardware device to sign subsequent releases), however, it remains possible that malicious code or "backdoors" could still be inserted into the application through other means (for example, by a sophisticated attacker who might stealthily compromise one of the dedicated machines currently used for building and distributing the application). Accordingly, it is ultimately up to the user to decide whether or not any given application should be considered "trusted" independently of the presence of a verified digital signature.


How do I verify a digital signature?

0 comments on commit 270f5fa

Please sign in to comment.
You can’t perform that action at this time.