-
Notifications
You must be signed in to change notification settings - Fork 0
Verifying Downloads
Every Tetherand release artefact ships with two sidecar hash files computed by independent cryptographic constructions. To trust an artefact, both must match what's published in the release page.
A single hash function is only as strong as the family it belongs to. Even though no general collision attack is known against SHA-256 today, the value of the artefacts being signed makes them a worthwhile target for one. By also publishing a hash from a fundamentally different construction (SHA3-256 uses the Keccak sponge permutation, while SHA-256 is a Merkle-Damgård chain over a Davies- Meyer compression function), an attacker who wants to substitute a malicious binary needs two independent collisions simultaneously — a problem with no known general method.
shasum -a 256 <file> # must match the .sha256 sidecar
openssl dgst -sha3-256 <file> # must match the .sha3-256 sidecarBoth should print a hex hash on stdout. Compare each to the corresponding sidecar file.
On macOS, shasum ships with the base system; openssl is
Homebrew's by default (brew install openssl). On Linux, sha256sum
and openssl are both standard.
After downloading tetherand.apk, tetherand.apk.sha256, and
tetherand.apk.sha3-256 from the release page:
$ shasum -a 256 tetherand.apk
075ef70425f1d3544bfba9cea7b2c77cbbb438b52c4014c4f0056494d91899b7 tetherand.apk
$ cat tetherand.apk.sha256
075ef70425f1d3544bfba9cea7b2c77cbbb438b52c4014c4f0056494d91899b7 tetherand.apkSame hex string — first check passes. Now the SHA3-256 check:
$ openssl dgst -sha3-256 tetherand.apk
SHA3-256(tetherand.apk)= fb2452227d975d79fdd1200c57e45b955c1caf932ab799288f7a86f2119d9157
$ cat tetherand.apk.sha3-256
fb2452227d975d79fdd1200c57e45b955c1caf932ab799288f7a86f2119d9157 tetherand.apkSecond check passes. The artefact is safe to install.
If either check fails, do not install the artefact. Re-download from the release page over a different network if possible (a network-level attacker could be substituting both the artefact and its sidecars). If a re-download from a different network still gives mismatched hashes, the artefact has been replaced upstream and should be reported as a security issue.
The release page also includes two text indexes:
-
SHASUMS.txt— every hash for files underbin/. -
COMBOSUMS.txt— every hash for files underdist/bundles/.
These index files are convenient for verifying multiple downloads in one pass. They are themselves unsigned, so use them only to compare against the sidecar files (which match the on-page checksums GitHub itself displays for every release asset).
The Git tag v0.1 is annotated and signed by the same identity as
every commit on main. To verify the tag and its message:
git fetch --tags
git tag -v v0.1This confirms the tag was created by pq-cybarg <resistant@tuta.com>
and shows the message GitHub displays on the release page.
Use
Features
Build
Project