Download signature with installer

Question

Download signature with installer

mbrodala opened this issue 9 years ago · 5 comments

The installer script currently only downloads the latest .phar. To check the integrity of that file, one has to manually download the matching signature (see #123) from Github releases.

It would be useful if the installer did this automatically and download the box.phar.sig next to the box.phar, thus one can simply run gpg --verify box.phar.sig box.phar afterwards.

Answer 1 · 2016-05-04T16:18:35.000Z

I'm leaning towards no on this issue because I feel like this will give users a false sense of security GitHub does become compromised.

Answer 2 · 2016-05-04T16:22:42.000Z

Not sure where a false sense of security could be given. Even if Github is compromised and both the .phar and .phar.sig have been tampered with, a check via GPG and your public key will reveal this.

This issue is simply about convenience without any security change.

Answer 3 · 2016-05-04T16:23:26.000Z

Of course, to be absolutely sure I'd have to meet you in person and verify that the public key I have retrieved is really yours. ;-)

Answer 4 · 2016-05-04T16:33:22.000Z

Would it be reasonable to assume that if any of the release files are tampered with, that the files used in the gh-pages branch could also be tampered with? I can imagine a situation where the install script is modified to bypass the GPG check and falsely report that it succeeded.

Answer 5 · 2016-05-06T07:37:08.000Z

But I didn't request the install script to perform the GPG verification, did I? ;-)

Again, all I'm requesting is to conveniently download the .phar.sig, nothing more. The check must still be performed by the user of course.