PGP sign our downloads?

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 12767
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

PGP sign our downloads?

Post by cmb » Fri Jun 29, 2018 12:07 pm

Hi!

Due to recent events, I wonder whether we should sign our downloads with PGP. As it is now, we're somewhat safe against manipulations of the Github downloads, since the SHA-256 hashes are hosted on cmsimple-xh.org, so an attacker would need to get access to our website also. Nonetheless, offering additional detached PGP signatures would add another level of safety, since these are basically hashes which are bound to a certain identity. See http://www.cryptnet.net/fdp/crypto/strong_distro.html for further details.

Besides some additional work for the release managers, the only downside I can see would be that probably few (if any) of our users would verify the signs.
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

olape
Posts: 590
Joined: Fri Mar 13, 2015 8:47 am
Contact:

Re: PGP sign our downloads?

Post by olape » Fri Jun 29, 2018 7:23 pm

cmb wrote:
Fri Jun 29, 2018 12:07 pm
Besides some additional work for the release managers, the only downside I can see would be that probably few (if any) of our users would verify the signs.
This will probably be the same with the SHA-256 hashes. Unfortunately, such possibilities are hardly used. I'm not gutting myself.
But I don't know what we could do to animate the users to use these things.

cmb
Posts: 12767
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: PGP sign our downloads?

Post by cmb » Fri Jun 29, 2018 9:22 pm

olape wrote:
Fri Jun 29, 2018 7:23 pm
But I don't know what we could do to animate the users to use these things.
Besides actually shipping malware with wrong hashes/signatures (what hopefully never happens!) – not much. At least already showing and using best practices may help a bit to push these forward. After all, it is not hard to check hashes/signatures, if one has appropriate software installed and is accustomed to its usage. The problem is rather that few users have such software, and that many OSS projects don't even offer hashes/signatures. So let's set a good example!
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Post Reply