MEGAsync icon indicating copy to clipboard operation
MEGAsync copied to clipboard
verified publisher icon meganz

Cryptographic Signing of Releases (PGP Signatrure Verification)

Open maltfield opened this issue 2 years ago • 3 comments

Feature Request

Description

Currently it is not possible to verify the authenticity or cryptographic integrity of the desktop app downloads from mega.io or github.com because the releases are not cryptographically signed.

This makes it hard for Mega users to safely obtain the Mega software, and it introduces them to supply chain attacks.

Steps to Reproduce

  1. Go to the https://mega.io/desktop or https://mega.nz/cmd page
  2. ???

Expected Behavior

A few things are expected:

  1. I should be able to download the Mega Team's Software Release PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
  2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
  3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions Affected

Everything, all versions.

Use case

Installing the software securely

Suggested implementation

Cryptographic signing of all software releases with PGP

maltfield avatar May 21 '23 21:05 maltfield

Fixing this would also be an important prerequisite for package maintainers to securely obtain the authentic MEGAsync and MEGAcmd releases before adding them to the official repos.

For example, to satisfy this Debian RFP:

  • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939318

Doing so would make this software much more accessible to thousands (millions?) of Debian, Ubuntu, Mint, etc users

maltfield avatar May 25 '23 15:05 maltfield

Update: it appears that the .deb releases are signed

user@disp8122:~$ gpg --keyserver keyserver.ubuntu.com --recv-keys B01C811880480C854C73EC7E1A664B787094A482
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 1A664B787094A482: public key "MegaLimited <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
user@disp8122:~$ 

user@disp8122:~$ gpg --with-subkey-fingerprint --keyid-format 0xlong --list-keys
/home/user/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/0x1A664B787094A482 2022-01-12 [SC] [expires: 2032-01-10]
	  B01C811880480C854C73EC7E1A664B787094A482
uid                   [ unknown] MegaLimited <[email protected]>
sub   rsa4096/0xCC657CA556002348 2022-01-12 [E] [expires: 2032-01-10]
	  48D4F37062092DA6664D42BECC657CA556002348

user@disp8122:~$ 

user@disp8122:~$ gpgv --homedir ~/.gnupg/ --keyring ~/.gnupg/pubring.kbx megasync-Debian_12_amd64.deb 
gpgv: can't allocate lock for '/home/user/.gnupg/pubring.kbx'
gpgv: Signature made Wed 06 Aug 2025 09:28:24 PM EDT
gpgv:                using RSA key B01C811880480C854C73EC7E1A664B787094A482
gpgv: Good signature from "MegaLimited <[email protected]>"
user@disp8122:~$

...but this ticket is still unsolved, as there is no documentation describing how to get the key out-of-band, how to verify the signature, and with a link to <- these docs directly on the download page

maltfield avatar Sep 24 '25 17:09 maltfield

Hi, Something like this:

curl -fsSL https://mega.nz/keys/MEGA_signing.key   | gpg --no-default-keyring --keyring ./megaring.gpg --import
gpgv --keyring ./megaring.gpg megasync-Debian_12_amd64.deb
rm ./megaring.gpg

vtmateos avatar Sep 25 '25 14:09 vtmateos