staking-launchpad icon indicating copy to clipboard operation
staking-launchpad copied to clipboard

Published 20 hours ago verified publisher icon ethereum

Verify Binary Executable Files?

Open ghost opened this issue 4 years ago • 2 comments

Quick suggestions, when directing users to the latest deposit-cli files on GitHub, including the SHA256 hashes would allow users to verify that they've downloaded the correct file. To further enhance security and boost confidence, it would be a good idea to include the GPG signature of the developer, so users can ensure that the file is authentic.

ghost avatar Aug 04 '20 02:08 ghost

I've been discussing this at length with various community members. The idea is very nice, but the implementation is less easy. IMO, simply adding a GPG signature is security theatre as users are unlikely to verify the Pubkey. Eg, Prysm's verification is done against a GPG key in the Makefile which is cool, but it is easy to swap out the key before the verification.

I think a better way of handling this is via package managers. While it introduces another layer of trust, these tools are already trusted with other high security packages so assumedly they have a high degree of security.

CarlBeek avatar Aug 06 '20 14:08 CarlBeek

Can understand how the presence of a GPG signature could provide a false sense of security to users. However, I would contend that even if a portion of users do not opt to verify the PubKey, there is a communal benefit. In a situation where an individual is unable to verify the signature in question, they would alert the community, and thus users would exercise caution until a resolution is reached. Furthermore, there is a sense of personal responsibility that implores everyone to exert the effort to verify.

Given the money at stake, as well as the fact that the deposit-cli files only need to be downloaded once, I personally believe the hash files and GPG signature would be a relatively trustless solution and inspire confidence. Reflecting on experiences in the Monero community, all releases include these verification components. Won't pretend to understand the difficulties in implementation, but here are a pair of guides, which would useful if you decided to proceed with the Hash / GPG verification route.

https://src.getmonero.org/resources/user-guides/verification-windows-beginner.html https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html

ghost avatar Aug 07 '20 04:08 ghost