New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to verify integrity and authenticity of downloaded application? #542

Closed
dosvarog opened this Issue Mar 29, 2017 · 11 comments

Comments

Projects
None yet
6 participants
@dosvarog
Copy link

dosvarog commented Mar 29, 2017

Hi, I am looking all over the web page, but I cannot find SHA256 (or similar) sums for downloaded applications so that I would be able to verify their integrity and authenticity (on Linux, which I use, that would be with tools like sha256sum and gpg or similar). Something like Linux Mint has on their web page (and let us not forget that hackers hacked their servers and planted their version of ISO file) or Ubuntu Linux on theirs (https://linuxmint.com/verify.php and https://www.ubuntu.com/download/how-to-verify).

So, how can I verify that I have downloaded correct version of application, i.e. that I have not downloaded version that was in any way manipulated by third side (and planted on a web page in a download section)?

@raphaelrobert

This comment has been minimized.

Copy link
Member

raphaelrobert commented Mar 30, 2017

Go to wire.com/download and hover on 'Details'.

@maximbaz

This comment has been minimized.

Copy link
Contributor

maximbaz commented Mar 30, 2017

I wonder if it's possible to add a PGP-signed file containing checksums directly to the github releases page. Have a look here for an example, note the file sha256sum.txt.asc.

By the way, there is no Details to hover for source code or Linux releases on the https://wire.com/download page.

@dosvarog

This comment has been minimized.

Copy link

dosvarog commented Mar 30, 2017

@maximbaz Nice idea!
@raphaelrobert Yes, thank you, I see it (for Android and Windows), but as @maximbaz said, there is no checksum for either .deb or AppImage (I know it says on the page that Linux build is experimental, but still, checksums would be very nice). I just saw someone added a commit for that. I guess, now it only needs to be put on a web site.

@raphaelrobert

This comment has been minimized.

Copy link
Member

raphaelrobert commented Mar 31, 2017

Thanks, we are looking to improve things for linux.

@3n-mb

This comment has been minimized.

Copy link

3n-mb commented Apr 10, 2017

Actually, there are two questions:

  • How to verify this electron app?
  • How to verify crypto and UI code that is downloaded by electron every time wire app is started?

In main.js, starting with line 122 we see that code that handles all of your security is downloaded every time wire app is run.

This code can be new every time. There is no point in checking electron's app integrity, when it dutifully executes anything that comes from wire's server, with nodeIntegration = true !

Issue 17 still stands.

If someone hacks wire's server, they can serve code, which in electron, with nodeIntegration = true, owns you. Running the same malicious code in browser, with full browser sandbox is safer.

By the way, @raphaelrobert , like many, you, wire guys may not be aware that sandbox = true option is now available, since September 2016. Place crypto in main, and isolate UI in a sandbox. You, guys, can do it now! Let's fix issue 17.

@raphaelrobert

This comment has been minimized.

Copy link
Member

raphaelrobert commented Apr 10, 2017

Thanks! This is currently work in progress. We are looking into ways to improve this.

@raphaelrobert

This comment has been minimized.

Copy link
Member

raphaelrobert commented Apr 18, 2017

@ffflorian ffflorian closed this Apr 24, 2017

@reelsense

This comment has been minimized.

Copy link

reelsense commented Jan 24, 2018

Is there a link to the PGP key?

Where are the signatures for this?

@3n-mb

This comment has been minimized.

Copy link

3n-mb commented Jan 24, 2018

@reelsense
there is no point in verifying app code, cause it will run any code that comes from wire servers allowing it to do anything on your machine nodeIntegration: true.
You are asking for a security theater, only. Ask for a structural change, in which signatures will have an actual value.

@reelsense

This comment has been minimized.

Copy link

reelsense commented Jan 24, 2018

ROFL. Nice.

Electron FTW 😄

@3n-mb

This comment has been minimized.

Copy link

3n-mb commented Jan 24, 2018

@reelsense
Don't jump too fast to saying that Electron's apps in general are insecure. Not at all. It is only an amateurishly lazy approach to framing websites into apps that is bad. In general, electron may handle untrusted active code in renderer, while keeping sensitive things in main process. You can't do this in C, C++, Java, .Net, Rust. Only browser's tech creates a wrapping thing that is on user's side. Praise Electron 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment