standardnotes
Standard Notes Downloads Are Not Signed (Edit: Standard Notes Downloads Are Signed On GitHub!)
I would like to use Standard Notes on my desktop, but currently I have to trust that the externally hosted Standard Notes website is non-malicious.
It would be ideal if the Standard Notes executable for all platforms was provided which a secure checksum which is cryptographically signed, preferably by multiple members of the Standard Notes development team.
For an example of best-practice code signing, please see the amazing Qubes OS
macOS and Windows builds are signed. Checksums are provided under each release under SHA256SUMS: https://github.com/standardnotes/desktop/releases/tag/v3.8.18
Oh! Wonderful, thank you. I couldn't find that on the website.
For future reference, it seems that the Linux builds are also signed!
Is there any way for me to verify @antsgar 's public key fingerprint outside of GitHub?
Perhaps the Standard Notes website, for instance?
@mobitar in the current way of things, isn't it still total trust in Github? I don't see a way to get @antsgar's actual signatures and verify them myself, I need to believe Github about the results of the verification.
I also agree with @alat-rights that the way this would be really trustworthy is if the signing public key would be hosted on the Standard Notes website and the keyholder(s) would publicly attest to the the validity of the key, e.g. post a message on all company and personal profiles (Twitter, Slack, etc).
The best solution would be to post the keys everywhere (All social media, website DNS-records (this is more secure than the website), website, powerpoints, etc.), who knows, maybe even have the employees get together and read the master key fingerprint on video. Key-cycling would be optimal (every 6 months or so?), and it would of course be nice if releases are actually signed by multiple employees.
Perhaps it could also encourage trust if the developers were open about how they approached PGP key security. Are developers using hardware security tokens or are private keys available on developer systems? Are there attempts to log the use of secrets with something like HashiCorp's Vault? Is release signing performed on an air-gapped system? (Even if your private key isn't released, a compromised signing computer can sign arbitrary files). Is virtual or physical isolation used? (physical isolation is not necessarily better, given the security provided by modern hypervisers).
Is there defense in depth? What's the failure mode?
I think there is a real opportunity here for a 10x improvement by going from "Amazon, GitHub, and the certificate authority are probably trustable, the devs are probably competent if they write good code, and this app is neat" to "it would require a vast, coordinated effort for an adversary to have a chance at reading my thoughts."
The 10x improvement might be mostly psychological, but in my mind, the main problem that Standard Notes solves is the cognitive burden of self-censorship, which is strongly entangled with psychology.
The point here is not for users to nanny developers (obviously, users cannot do that). Rather, it would be a powerful signal that developers are concerned about difficult, ambiguous trust questions as much as the fun technical problems that I'm sure building Standard Notes includes lots of ;)
For now, there is a hacky thing you can do here, where you download the app from the Standard Notes website and the signed digest from GitHub. The signature lets you do TOFU, and the checksum checking means that a double-pwnage would be necessary for your file to be malicious.
Just some thoughts. As always, awesome works Standard Notes team.
If you'd be open to a deeper conversation about signing and verification, I'd love to chat. I've been obsessed with digital trust since middle school...