Question about verifying the release downloads with SHA-256, sig, etc... #2070
Comments
That's a noble quest and thank you for your kind words. 😁
I think the OBS AppImage builds had some checksum files, but the download of AppImages seems broken on OBS. Of course I could create a checksum and make it part of the release, but checksums will not help you to decide if the file was tampered with (because an attacker could also have updated those checksum files). It can only verify if you have downloaded correctly what was on the server. Only a signing process would provide the needed security, maybe sigstore can help somewhere in the future... |
|
But I will generate an AppImage checksum file starting with the next release. 😉 |
|
Thank you sir! I really appreciate that, and I'm sure others will make use of a checksum too. I get your point about an attacker tampering with the checksum too, so I guess ultimately some sort of signing process will be worth the effort since you do emphasize "owning" your notes, privacy approach, etc..., so people with more sensitive data will take note and may look for verification/signing as their use case covers a higher risk, etc. In any case, I appreciate you considering this and adding a checksum for now. BTW I spent a lot of time running tests recently to compare QOwnNotes to alternatives. I don't think it's fully appreciated out there yet, what strikes me most is that there are many small important details that are well thought out, not to mention it's very lightweight (no extra dependency or electron bloat), fast, efficient, extensible, totally open file approach, and in my testing reliable so far. Excited to make it central to some of my projects! |
|
Other build pipelines like the PPA and the OBS builds are signed. Snaps too in a way... |
21.3.2
|
pbek
added
Importance: Low
Type: Feature
|
Great, thank you! BTW, and hopefully this isn't off topic, but I've been cautious about adding PPAs and just prefer using AppImages for the variety of distros that I use to keep my sanity. As a developer that maintains a PPA trusted by many people, what would you say (in a nutshell) the risk factors are in downloading an AppImage (with a checksum as you just implemented and maybe a signed version if you decide to do that in the future) VS. using a PPA, which has its own set of risks too. What are the trade-offs, advantages, security issues? And thanks again for your time and consideration on all this! |
|
There now is a new release, could you please test it and report if it works for you? PPAs mainly have the risk that maintainers are capable to potentially override other packages on your system if the like to, but other than that they are very convenient for the users (easy updates) and the packages are very small because there is no need to include all the dependencies like with AppImages, snaps and flatpaks... But the latter also is an advantage because you can use the same "disk image" on other (future) systems. As for security, only signing stuff can actually help with that. But of course you always need to trust the developer(s) anyway... AppImages, snaps and flatpaks help a bit with the trust issue, but only a bit in my opinion. |
|
Excellent, thank you! I can confirm that the AppImage download matches the sha256sum file, and it works so far. (Haven't been able to do anything other than load it up yet.) Re: your comments about PPAs, thank you. Food for thought! |
|
Quick follow-up -- AppImage release continues to be solid so far, no surprises. Thanks again for the quick response and great work on this app in general. It's a killer tool. |
|
Great, thank you and thank you for testing! 😁 I'll close this then for now. |
Trying to leave Windows and all proprietary software in general, and move to open source solutions, and in my quest to replace several commercial apps, I stumbled across this most excellent app. I've tested it extensively on Windows so far and was really impressed, and now that I'm moving to Linux and improve my overall security, I want to use the AppImage on various Linux distros. However, I just realized that I don't see a digest, SHA256SUM file, YML file, or other method that some other devs use to provide a way to verify the download.
Apologies if I missed this somewhere, or if you don't currently provide a way to verify the download, would you please consider it for each release? QOwnNotes will be used to store sensitive info, but I need to be 100% sure I'm getting a safe and legit download. I can imagine I'm not the only one who thinks that an app of this class will become just as important as something like BitWarden, for example, as a crucial piece of software for critical information. So it seems logical that there would be an easy way to verify every download. Obviously it's not a password manager, but it will handle sensitive info and it's worth double-checking I have a legit signed/verified/shasummed file.
Thank you for your help and congrats on an amazing piece of software. I've done an extensive test among many similar apps, and QOwnNotes is top-notch! Can't wait to put it into action!
The text was updated successfully, but these errors were encountered: