umbrel icon indicating copy to clipboard operation
umbrel copied to clipboard
verified publisher icon getumbrel

Release checksums & signatures

Open tim-tx opened this issue 4 years ago • 3 comments

Request that the devs generate checksums & PGP signatures for the image releases in the future.

tim-tx avatar Jul 26 '21 22:07 tim-tx

I meant for this to be on umbrel-os, but I guess it works for this repository as well.

tim-tx avatar Jul 27 '21 00:07 tim-tx

Thanks for opening the issue, this is planned, it's not high priority for us right now while Umbrel is in beta but will be implemented before we do a stable release.

lukechilds avatar Jul 27 '21 15:07 lukechilds

+1 for this @lukechilds

Now that you have the super installation script curl -L https://umbrel.sh | bash, would be nice to have this extra security layer against man-in-the-middle attacks or pishing websites.

So the user would do an extra sha256sum --check script.sha256 and gpg --verify script.sha256.asc. Not required, but usefull

Example

Last modified: Umbrel v0.5.1 09/19/2022

Download the files

# 1. Installation script
# would be better if the installation script is versioned
curl -L https://umbrel.sh > install_umbrel.sh

# 2. Checksum
curl -L https://gist.githubusercontent.com/jaonoctus/cfabf3a27b55f082b1e6ecf2da832ab3/raw/b1213593f599dce1ad7a1d1b00eefced61c3d514/SHA256SUM > SHA256SUM

# 3. Signatures
curl -L https://gist.githubusercontent.com/jaonoctus/cfabf3a27b55f082b1e6ecf2da832ab3/raw/b88fff3a5ff6ab0aaa3121b4f737fd3ce3f87f46/SHA256SUM.asc > SHA256SUM.asc

Verify if the content was not modified

sha256sum --check SHA256SUM

# expected output:
# install_umbrel.sh: OK

Verify if the checksum was not modified

# If you don't have my key already, then run this first
gpg --keyserver keyserver.ubuntu.com --recv-keys 6B457D060ACE363C9D67D8E6782C165A293D6E18

gpg --verify SHA256SUM.asc

# expected output:
# gpg: assuming signed data in 'SHA256SUM'
# gpg: Signature made Mon Sep 19 19:13:31 2022 -03
# gpg:                using RSA key 6B457D060ACE363C9D67D8E6782C165A293D6E18
# gpg: Good signature from "João Dias (jaonoctus) <[email protected]>"
# gpg:                 aka "João Dias (jaonoctus) <[email protected]>" 
# gpg:                 aka "João Dias (jaonoctus) <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6B45 7D06 0ACE 363C 9D67  D8E6 782C 165A 293D 6E18

jaonoctus avatar Sep 19 '22 21:09 jaonoctus