xmr-btc-swap icon indicating copy to clipboard operation
xmr-btc-swap copied to clipboard

Published 20 hours ago verified publisher icon comit-network

Signed hashes for releases

Open delta1 opened this issue 2 years ago • 1 comments

Reported by marchanton on matrix:

Hi everyone I posted a Q about the integrity of the binary releases listed on github here #comit:matrix.org, is there anyone who can answer?

With my very limited understanding of how github releases and commit signing works it is my understanding that anyone with the credentials to "comit-botty-mc-botface" can change any release at any time, without notice, as the commit is signed using GITHUB.COM's signing keys.

I do not see signed (by a lead dev) shasums of the binary releases listed anywhere.

Again, how can i now with certainty verify that my executable is indeed released by the team behind comit-network?

Please point out any flaw in my current understanding if there is one.

delta1 avatar May 27 '22 17:05 delta1

Some steps that would be necessary to achieve this:

  • [ ] record the SHA256 hash of each binary/archive in the release in a text file to be included with the release
  • [ ] a GPG signature from one or more maintainers signing the hashes text file should be included with the release
  • [ ] the maintainer GPG public keys should be included in the code repository (as an example see the monero repo)
  • [ ] instructions on how to verify the hashes of the binaries and the signature of the hashes

delta1 avatar Jun 02 '22 09:06 delta1