Request to add PGP signature, or hashes.

[jgratero]

It has been quite a while since I inquired about this:

SHA256, MD5 hashes...

But, I keep wondering, given that things are different now (supply chain attacks are now a thing, like the one experienced by Noteplus++), wouldn't it make sense to add a)Hashes to compare files, or b) a PGP signature, that gives us the chance to ascertain that the files being downloaded are indeed coming from you?

As it is, Windows Smartscreen is already blocking the last release. The issue is not overriding it, as this not a particularly difficult task. I can certainly do it. The issue is: How can I know that the warning from Smartscreen is a false positive (and therefore, discard it), if I cannot be sure that this file is coming from you? Because I have nothing to attest it otherwise.

Thank you for hearing this concern.

[karlkleinpaste]

I personally know precisely nothing about the details of signing Windows binaries. I leave this to others who might have the required clue.

I will say that I thought I'd take an initial shot by creating a key pair, but gpg --gen-key rewarded me with the famously useless diagnostic that actually means "Something went wrong, I surely know internally what it was that went wrong in that moment, but I choose not to share with you what that wrongness was -- you get to guess what it might have been."

gpg: agent_genkey failed: No such file or directory
Key generation failed: No such file or directory

I've personally never had a reason to use PGP/GPG up to this point...and I guess I still don't.

[alerque]

GPG is a boiling kettle full of foot guns. There are some other signing systems with fewer pitfalls you could consider if you don't have any other background in signing. More modern and better ... but not as widely known or deployed.

If desired I could sign artifacts post-release. I have 20 years of history with GPG (and no feet to prove it) and a key that is attested from a few directions including as a signer for Arch Linux packages.

I guess it depends on what problem is being addressed. Notepad++ had their own update delivery mechanism on the side and that was compromised. If I (or project owners) sign an CI generated artifact that still doesn't prove that GitHub hasn't been compromised. It does provide some protection against later compromise and replacement of the artifacts.

The issue of Windows binary signing is almost a completely different bag of cats...

[jgratero]

Thank you for your reply. BTW, I did not mean to sound abrasive, and if I did, I apologize. I've been using Xiphos for years, but in Linux (debian-based), not that much on Windows. On Linux, I just check the repositories, mark it to install, or do it through terminal, and that's it. Windows makes everything unnecessarily complicated, and I just wanted to be sure for my Windows machine.

[karlkleinpaste]

No, you weren't at all abrasive. I, on the other hand, get a bit abrasive in the face of objectively stupid software like gpg. Sorry.

Linux builds from the usual well-supported distributions will surely be appropriately signed via their release channels. I don't have any insight as to how to impose a signature process on our auto-builds for Windows when releases are made. Again, I lack the critical clue, but I'm open to gaining it.

[karlkleinpaste]

It occurs to me that, when releases are made, I could download both Windows binaries, run sha256sum on them, and then go back to add a couple lines of text to the release description to show those values. That at least would ensure that people can verify them as they were known immediately upon release. I'll make a note to do that for future releases.

But honestly I wonder about the real value of such a thing, considering that it would bring into question the entire github auto-build and auto-release machinery, if something were found to be compromised.

[greg-hellings]

Calculating the SHA sum can be done by the release software directly. I believe BibleTime does that with its release script.