Digitally sign new releases binaries
rigwild opened this issue · 3 comments
Hi!
Issue
Currently, new releases binaries are not digitally signed. Only a SHA256 checksum is provided. This is ok but not enough to authenticate that it was indeed distributed by the ARK team.
If an attacker gains write access to the repository somehow (GitHub token stealer, phishing, social engineering...), he could simply replace the binaries with modified versions of the wallet/malware and update with the new corresponding SHA256 checksums.
Proposed solutions
Provide binaries GPG signatures
Provide .asc or .sig binaries GPG signatures when releasing a new version. This is free and multiplatform. Anyone who is willing to check can do it easily.
A multisig GPG public key with multiple members of the development team can be created to bring even more trust to the table.
Microsoft Authenticode
Digitally sign the Windows binaries with Microsoft Authenticode.
Non-signed binaries shows the Microsoft Defender Smartscreen popup when started:
This is not ideal as buying a certificate may be expensive and the releases are multiplatform.
Note
This issue can also be applied to https://github.com/ArkEcosystem/mobile-wallet, for users who don't use official application stores.
Thanks for opening this issue! A maintainer will review this in the next few days and explicitly select labels so you know what's going on.
If no reviewer appears after a week, a reminder will be sent out.
Hello @rigwild , thank you for opening this issue!
This will be addressed in the upcoming V3 Desktop Wallet release so am closing the issue for now. Thanks again.
This issue has been closed. If you wish to re-open it please provide additional information.