PGP signatures for Bleachbit downloads?

Submitted by brittney24 on Sat, 03/03/2018 - 23:58
Forums: 
Discussion
Forum tags: 
security
signature files

Hey,
Is there any possibility of getting detached signature files from Andrew for the downloads?
I don't mean signature files for checksums (though they're useful), but checksums don't detect if files on a server have been tampered with. Since hackers have managed to replace files w/ maliciously altered versions on lots more than one or two major organizations, I'd appreciate detached .asc files, signed with Andrew's public key.

It'd be nice to have easy to follow instructions for those not as familiar w/ using signature files to verify downloads as being "identical to the developer's final version, *before* they uploaded it to a server."
It's really getting to be important. It's been demonstrated many times now that almost no company or organization is hack proof.

At least in Linux, it's very simple to import the developer's public key to your "keyring" program / utility, then verify all downloads from that developer in a matter of seconds. So simple, an average 10 yr old child could do it.

Thanks.

andrew

Sun, 03/04/2018 - 11:10

As a one-time thing for now, I uploaded the detached signatures to SF (the .sig files). Is this what you meant? I would like to make it as secure as possible, but I do not see how this increases security. Here is why.

If the signed checksums (.txt.asc) can be altered, then the detached signature can be altered too. Therefore this does not add security.

Here's another way of looking at it. If the installation package or source is altered, then its checksum will not match. If the signed checksum (.txt.asc) is altered, then it will fail verification. Therefore, the current system will detect tampering.

Yes, I should expand documentation on how to verify the files against tampering. In the current documentation there is only minimal information on verification, so I added issue#307 to track this.

---
Andrew, lead developer

brittney24

Wed, 02/27/2019 - 19:31

A long time later...
I saw (long ago & meant to comment) that you put the detached PGP signature files on Sourceforge - good. A different sig file location than now appears to be the file D/L site (here).
Less chance of both the program D/L files & signature files being altered if on different sites.

Have you thought about changing your key strength? Many are now using 4096.

But, you probably should have a PROMINENT note on D/L page(s) - where the signature files are found & brief statement on what checksums vs. developer signature files actually check. Probably also on the Github download page - I've seen quite a few projects starting to do that.

Maybe a link to a site w/ simple explanation why users need to verify using PGP signatures, vs. just checksums. More download files have been hacked in the last couple yrs than I remember in the past.

TorProject has a simple explanation why signature key verification is needed & tutorials for what users need & the simple steps to verify files for Windows, Linux, OS X.
https://www.torproject.org/docs/verifying-signatures.html.en

New users are coming up every yr & many parents didn't give them "the talk" about safe computing.

andrew

Wed, 02/27/2019 - 20:51

Yes, I agree I need to update my PGP key and post instructions. :) It's on the list

---
Andrew, lead developer