Signed Checksum?

Could you please release the desktop binaries (in my case the .appimage) with a signed checksum? There seems to be no need for macOS or any thing mobile but the Linux and Windows packages could benefit from it. I realize that some may doubt its marginal benefit but I'd argue that not having its packages verifiable with a public key is the odd thing for an app that otherwise exercises such strong and clear security practices. The current checksum assures integrity and not directly security.

The release of a signed checksum, to my understanding, also doesn't take much effort so it could increase security at little cost by making packages independently verifiable and thereby assuring authenticity.

Furthermore, I'd suggest adding the public key verification to the install/update script in a similar way to restic. That way, a more secure practice could be the default operation for everyone who cared for it. Though Joplin's script may need to check whether the key was imported by the user beforehand since its script doesn't require sudo privileges.

Restic's verify.go script that verifies new packages during self-update:

For reference:
https://pthree.org/2016/02/16/checksums-digital-signatures-and-message-authentication-codes-oh-my/

Note: I started a new topic because the earlier one seemed to devolve into a different thread about separate(?) checksums and verification on other platforms. Apologies, if I shouldn't have.

2 Likes

I'm curious what would be the benefit of signing the checksum? Do you know of a specific attack that would be prevented by this?

I'm asking because I can't think of any. For example, if someone takes over the GitHub account, they can build a compromised release, and that release will get a sign checksum generated by GitHub CI. So in this particular case whether it's signed or not doesn't matter. Or do you have any other attack in mind?

You're right in that a signed checksum generated by the Github CI will mostly be inconsequential if the account is lost. Then again, attackers have been sloppy before so even that may help as a fairly loose early alarm.

Ideally, you would generate and sign each checksum before release manually and upload them with the relevant binary. While this solution can be partially automated, I acknowledge that it could at the very least be an extra mental burden. Still I'd like to ask if you could do so because as it stands, the most popular way of acquiring Joplin on Linux is fundamentally insecure and a signed checksum could elevate Joplin on Linux to the same level of security it enjoys on Mac. At least in its supply chain. You could revoke the key at suspicion and prevent further malicious activity.

I realize insecure means different things to different people and working in security has likely elevated my expectations. While I believe my suggestion to be functional, please don't take it as an indictment or demand. I'm still grateful for the app.

Hello, first contribution here, so first thanks a lot for a great app!

I would respectfully second this request. I try to be very careful about which app I install on my boxes and having it gpg signed (in some ways, the app, the shasum, other) would be very valuable.

If this is not possible, perhaps integrating the sha512 into the bash script would be helpful, a link to the last sha512sum that's released with the appimage? I'm not that versed into scripting yet but could try to tweak the install script to do so instead of doing it by hand.

Also, the appimage format seems to support digital signature, though not really clear how it works for validation, it seems that there is need to download the validate tool on the side - I cannot include links yet in my posts.

Thanks!