PyBitmessage icon indicating copy to clipboard operation
PyBitmessage copied to clipboard

Published 20 hours ago verified publisher icon Bitmessage

GPG Sign the binary releases

Open gitbugged opened this issue 6 years ago • 8 comments

There is currently no way to verify that the released binary packages are in fact released by the developer. One way to do this is to sign the packages with GNUPG/PGP. There is an automated script to do this for github users, here: https://github.com/NicoHood/gpgit

Doing so helps prevent MITM attacks/malware from spreading. Thank you.

gitbugged avatar Feb 14 '18 17:02 gitbugged

Agreed. Please can you do this @PeterSurda ?

ghost avatar Feb 14 '18 17:02 ghost

Actually I do GPG sign the binary executables. There are at the moment no binary executables for 0.6.3, 0.6.3.1 and 0.6.3.2 so there is nothing to sign.

Since 0.6.2 I also obtained a code signing certificate that is recognised by both Windows and OSX. I haven't figured out how to sign OSX binaries though yet.

PeterSurda avatar Feb 14 '18 17:02 PeterSurda

@PeterSurda thanks for signing! I was able to get the .asc files for the binaries for v0.6.3.2 from the releases page. I was kind of confused, because the website is currently still serving up the vulnerable version without the sig. I would have helped fix that issue myself but there appears to be no way to register on the wiki to change the links around.

https://www.bitmessage.org/wiki/Main_Page

gitbugged avatar Feb 23 '18 15:02 gitbugged

The bitmessage.org website links to 0.6.1, which isn't vulnerable. Maybe it should be bumped to 0.6.3.2 though. And the signatures are available on the github release page. The wiki registrations were disabled due to spam and noone had the time to fix it properly yet.

PeterSurda avatar Feb 23 '18 15:02 PeterSurda

I'm not sure if there is or was anything to do, maybe there was some confusion. If you don't want me to close this, please elaborate.

PeterSurda avatar Mar 10 '18 09:03 PeterSurda

It can be closed, I would just recommend putting the signature on the wiki page as it's the first thing people see. Helps people find it easier.

Adjusted wiki code:

[[File:windows_icon.png|link=https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe]] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe Download for Windows (32bit)][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe.asc (sig)] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1_64.exe (64bit)][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1_64.exe.asc (sig)]

[[File:apple_icon.png|link=https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg]] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg Download for OS X][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg.asc (sig)]

gitbugged avatar Mar 27 '18 17:03 gitbugged

Also if it's not too much to ask, the source (.tar.gz) file is unsigned. This would need to be signed as well for Arch Linux to include a sig check in the PKGBUILD.

gitbugged avatar Mar 30 '18 21:03 gitbugged

@Jeroentetje3 I'm having some mail issues on one server, [email protected] is probably the best way to reach me.

PeterSurda avatar Sep 26 '21 09:09 PeterSurda