Sign releases on github

[maltfield]

Description

Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from github.com because the releases are not cryptographically signed.

This makes it hard for dangerzone users to safely obtain the dangerzone software.

Steps to Reproduce

1. Go to the https://dangerzone.rocks/#downloads page
2. Click download
3. ???

This is also an issue on github.com

1. Go to the https://github.com/freedomofpress/dangerzone github repo
2. Click Releases
3. See .dmg and .msi files, but no signatures
4. ???

Expected behavior: [What you expected to happen]

A few things are expected:

1. I should be able to download the dangerzone PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior: [What actually happened]

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions

Everything, all versions

[maltfield]

I see that a checksum file is provided, but it is not signed. Nor does it include previous versions.

• https://dangerzone.rocks/checksums.txt

A solution to this ticket would be to sign the releases directly or to sign a checksum file, but a cryptographic signature (made by some private key that is not uploaded to any publishing infrastructure) is necessary to provide cryptographic authenticty verification of the releases.

And the verification process should be documented, as described in the OP above.

[maltfield]

Curiously I see that the footer of the official dangerzone website lists the fingerprint of the official release signing key, and it links to the key on the keyserver:

• https://dangerzone.rocks/#downloads
• https://keys.openpgp.org/vks/v1/by-fingerprint/DE28AB241FA48260FAC9B8BAA7C9B38522604281

But, again, there's no documentation on how to download the actual release's signatures and verify them. If this is currently possible, then it should be documented and linked-to from the downloads page.

[apyrgio]

That's a very nice dig, thanks a lot for opening this issue. Ok, here's what's going on with regards to hashing/signing our artifacts:

• Windows: Our Windows artifacts are signed by an EV code-signing certificate. This certificate is provided by Certum, and users who install these artifacts will see that the application developer is "Freedom of the Press Foundation".
• MacOS: Our macOS artifacts are signed with an Apple-provided certificate, again for Freedom of the Press Foundation.
• Linux: Our artifacts are available from our repos and are signed with the private key that we mention in our installation instructions.
• For Windows and macOS, we hash the files and report their checksums, as you found out already. Checksums for previous files can be found in: https://github.com/freedomofpress/dangerzone.rocks/commits/main/checksums.txt

The above steps should be enough for the majority of our users, who will not check signatures/hashes of artifacts. I agree though that we can go one step further and sign them ourselves with the key we use for signing Linux packages. We can try to do so in the next release.

[apyrgio]

@maltfield Until the next release, here's a signed checksum file for 0.6.0:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

334e0baeba59199d513b59ef3cae6d33519a79e7733bc9e3f199d90a25f27d17  Dangerzone-0.6.0-arm64.dmg
839a0727b4fad565e76919cb0c8379adc5d217eed1ed343022abdc1559a9af7b  Dangerzone-0.6.0-i686.dmg
55e3aa4c3da08b5810b78e7553a17a4f7cb4c914bb518b22c38cc6fc3a3e83d9  Dangerzone-0.6.0-1.msi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBMq+td12us8r1D0v86zGD2LqUcsFAmYTuPwACgkQ86zGD2Lq
UctbfQ//b2wh3wWJ6CQOAZn3ZKbpbnE1NBe9NZBT19HaizrfX80cwGKQ2QpDNMDy
fCzBVH7+6p40HGILLtdck+jM+mnDa1Z3LmzBEAIip3vYwM2VIGE6w3Xu44jx8hde
OMs+uPfDI1GdGWTTUCBcqwQ3FkgdZ7wr+BbkXKyBT7nfp+aUMPzhxsXgdYw86S1h
DZVPPeFANo+Y4vqvmjhgvcd4gs11RkCK3X9cpMZjoEmWcGMlomso8j7c8eiIVfIA
LOf4F3X/ZoI/dNehWh4eksIm5rsbzAmHGZ37e+EvdKzuhtx9YZEe6gCIy0MLx/Ru
jfUlhILQ+nmJC/4INOGusxCyQRpc+Bt0hqwwGOrh3aTQK9VVaz/J7gWg4MESoRmx
5njdk+bfPxDYv0Helvh2esFhdRXytFZjti5/U98FgCewXEMtFnp6ETQX8uVhf55K
3TCj/DVSZiTP8009mlWJu6dsiCyS1eCS67kammu0SvkZQuC6G5IP+uwDxkNDTjZy
wcxlseIBmdCaO4FLWlFVHWUSY0yv5AVy4iM4ctIgMjxUkRmYmJgckuOuCGSa3GYU
qMtMXcu2OCpV7pFhYEdaesECUa0xuVob8ViwL61Fi1+khEzotmj2pRCkEgzxWRML
0Ez6fbfK3NwzQa1I0eF+CsVWjwRkoO4ccsADuUWX9g16orPIc/M=
=4363
-----END PGP SIGNATURE-----

As you've already pointed out, the public key is here: https://keys.openpgp.org/vks/v1/by-fingerprint/DE28AB241FA48260FAC9B8BAA7C9B38522604281

[apyrgio]

We have some good news on this front. We have updated our 0.6.0 release page with signatures for our assets. Also, we now have a section in our installation guide on how to verify these signatures. Finally, once Dangerzone 0.6.1 is out, our https://dangerzone.rocks site will be updated to link to those instructions (see freedomofpress/dangerzone.rocks#37).

Thanks again @maltfield for giving us the nudge to improve our security posture here 🙂 .