-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS on dl.nwjs.io #3062
Comments
related: nwjs/npm-installer#2 |
Hi, any progress on this? You could just sign the builds with PGP and publish your keys. Alternatively, you could simply post the SHA-256 hashes right here on GitHub. There are many ways to do it. Right now the only way to use NW.js securely is to build it from source. |
Will look to fix this soon. |
+1 for this. Currently I am taking effort to provide a public mirroring for nw.js, but I find that every previous upstream source uses HTTPS, some also provides signatures to verify with, which will prevent most of the tampering, but nw.js doesn't. So the plan is put on hold. |
This is now supported. https://dl.nwjs.io |
@rogerwang Thanks! Glad to tell you that nw.js has a mirror at https://npm.taobao.org/mirrors/nwjs/ now, which is synchronized from Amazon S3 via HTTPS :) |
Thank you! |
@evshiron thanks. but please use dl.nwjs.io. Do NOT use S3. |
@rogerwang The mix of Apache DirectoryIndex and Amazon S3 Bucket is somewhat confusing and hard to synchronize with. |
OK. It LGTM for now after checking the mirror script. Thanks. |
Currently, the only way to download NW.js is over an insecure HTTP connection. Most projects provide either an HTTPS download link, or PGP signatures that let you verify that what you downloaded hasn't been tampered with. It would be great if dl.nwjs.io supported HTTPS or provided signatures.
Some general background on the risks with using insecure HTTP: http://mashable.com/2011/05/31/https-web-security/
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: