nimbus-eth2 icon indicating copy to clipboard operation
nimbus-eth2 copied to clipboard

Published 20 hours ago verified publisher icon status-im

Provide digital signatures for the released binaries

Open zah opened this issue 4 years ago • 3 comments

We can either use OpenPGP (as done by the Geth team) or we can consider using a code signing certificate (perhaps reusing the certificate used for Status Desktop).

zah avatar Feb 17 '21 20:02 zah

I think checksums are a decent replacement. The security profile is the same, for a signing process where you expose your private key to GitHub's CI - i.e.: whoever gets access to that CI can change both your signature and checksum for a modified release.

Looking at Geth, they put their private (signing) key in a Travis CI env var: https://github.com/ethereum/go-ethereum/blob/c6195623138a995e5c8ec700ba2b0aa3f605951d/.travis.yml#L106

So whoever gets access to that CI script can alter the released binaries/packages and sign them with the original key, just as easily as producing checksums for them.

stefantalpalaru avatar Jul 05 '21 23:07 stefantalpalaru