Please provide integrity checks for downloads via GitHub #394
Comments
|
yes please, @mifi in the mean time can you kindly provide a hash (checksum) for the latest windows .exe version 3.30.0 please? |
|
@markusd1984 @mifi I would also strongly suggest using GitHub's code signing as well. More info on this can be found here. |
|
Is it a feature in github to publish hashes along with binaries? What’s the benefit of that, when all binaries are hosted by Github anyhow? I mean if there was an attacker or hacker inside github he could just fake the hashes also if he wants to fake the files? Also what’s the benefit of signing commits? |
|
At least we can verify the download against corruption with the hash, appreciate if you can publish for that reason alone. |
|
@mifi Ideally if you just use Git Commit Signing you would provide all users the security of knowing that the code was created by you and it has not been altered or pushed by another entity. When you enable Signing you will get a "Verified" badge on your releases. Example Git Commit Signing is very easy to do and will bring a lot of assurance when users are downloading and using new releases. |
|
Ah ok. But it isn't actually me who personally creates the github release and upload artifacts - it is github actions. Will it still get a verified badge as long as the commit that was tagged is created by me? |
|
I can't find any data in GitHub's documentation that says this would be the case. I believe that if you sign the commit then it will still be verified as the actions are trigged from a signed and authorized commit :) |
|
I tried to setup GPG signing. While it works from the command line, I cannot get it to work from my GUI apps. Seems like github desktop doesn't yet support commit signing, so I think this feature is a bit new and bleeding edge, so I think I will wait until it's more established |
|
Perhaps possible setup signing manually along with GitHub desktop? Another reference I found GPG signing with GitHub desktop. |
|
Thanks for research. I had tried most of those steps before, but what I was missing was Now it works also from GUI! |
|
How to publish hashes I don't really know how to do, because it's the electron-builder-action that handles all uploads, so I think the support needs to be inside there, or some custom github action to create hashes after upload. (download the uploaded files again and hash them?) |
|
@mifi Something like this might be what you are looking for: https://github.com/marketplace/actions/generate-release-hashes I personally have not used it before though. I see that you are now pushing signed commits which is awesome! For the purpose of this issue that is essentially the security check I was looking for so I'm going to close this issue. Thanks for working with me to further improve the security of this project! I use it all the time and really appreciate your work 💯 |
|
@mifi might this help, manually generating electron checksum via script? https://stackoverflow.com/a/60208623/8719001 https://www.electron.build/code-signing UPDATE: sorry GrantBirki might have already provided the solution? 😄 |
|
Code signing is for windows/mac for signing the binary. Already signing the mac binary for app store (and notarizing the download). Windows I need to buy a certificate and I think it needs a lot of manual work #218 #337 |
It would be a very nice security feature to publish hashes of files for building from source or downloading executable via GitHub.
If possible to provide a file signature via PGP that would be the icing on the cake.
https://www.gnupg.org/gph/en/manual/x135.html
The text was updated successfully, but these errors were encountered: