DroidFS

[Frydzyslaw]

[S7venLights]

I'm curious, in the latest release you say "Don't trust GitHub, verify hash"

Have there been cases where Github modifies apps?

[hardcore-sushi]

Have there been cases where Github modifies apps?

That's not important. The fact is that they can. Therefore, it is a threat.

Even if this has never been proven, GitHub could still have done it, for example by modifying the binary only for a single targeted user, so the rest of the world would not notice.

Moreover, the threat is not limited to GitHub itself. Even if you trust GitHub, it's owned by Microsoft, which is a US-based company. This means that the US government has the right to force GitHub to include backdoors in developer releases without making anyone aware, and without anyone noticing, for example by targeting specific users, replacing PGP key fingerprints and re-signing releases with their own key.

But let's say you trust Microsoft and the US government, including all its allies. An evil certificate authority (CA) could sign a duplicate TLS certificate for the github.com domain and intercept your internet connection. So they would be able to replace the GitHub TLS certificate with their own, thus bypassing E2E encryption. You would then download a modified release without you or your browser noticing anything.

This could be considered a little paranoid, but it is not the case, especially for a security application like DroidFS, that people can use to store critical information.

In addition, PGP signatures protect end users in the event that the developer's GitHub account is compromised or if GitHub itself is hacked.