Giters

floating / frame

System-wide Web3 for macOS, Windows and Linux

Home Page:https://frame.sh

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Secure signatures on releases

michaelni opened this issue · comments

commented

Currently the released files have hashes/checksums but not signatures. That does not really provide any security.
A end user cannot separate an official untampered release from some trojanized one. As any half decent attacker will just run sha512sum on it after tampering and update the hashes.

ATM the only thing stoping an attacker is HTTPS, github, your webserver and DNS. Only one of these need to be compromised by an attacker in the current setup.

The way to avoid this is to provide one or more official public gpg keys, and sign the files or a file with the checksums/hashes.
The checksums/hashes change with each release and each file. But the public gpg key will not change.
So you would have public gpg key + release file or sha512 of release file -> signature
now with this an attacker can update the sha512 but he cannot recreate the signature because he does not have your private key. The user can then detect this if she obtained the untampered public gpg key like from downloading a previous release long ago.

An example project which does this is the electrum bitcoin wallet. On their https://electrum.org/#download page they have releases, signatures for each and links to their public gpg keys and also an explanation how to verify the signatures

I think given that frame sh is a rather critical piece of software security wise. This or some other way of verifying the releases is needed.

sidenote: yes there are internal ways to sign deb files that i have never seen used. The deb files are not signed though

debsig-verify  frame_0.6.4_amd64.deb 
debsig: Origin Signature check failed. This deb might not be signed.

sidenote2: Theres another related issue which was closed, i opened this anyway to ensure it is not missed as i believe this is a really important issue that could cause serious harm to users (#726)

If theres anything thats unclear or confusing just say so, iam happy to elaborate or reword anything. I do think something must have been misunderstood as issue 726 was closed.

Thank you for frame which is one of the best wallets really!

commented

Also, how can I verify validity of https://snapcraft.io/install/frame/ubuntu packages?