Signed Checksum?

Could you please release the desktop binaries (in my case the .appimage) with a signed checksum? There seems to be no need for macOS or any thing mobile but the Linux and Windows packages could benefit from it. I realize that some may doubt its marginal benefit but I'd argue that not having its packages verifiable with a public key is the odd thing for an app that otherwise exercises such strong and clear security practices. The current checksum assures integrity and not directly security.

The release of a signed checksum, to my understanding, also doesn't take much effort so it could increase security at little cost by making packages independently verifiable and thereby assuring authenticity.

Furthermore, I'd suggest adding the public key verification to the install/update script in a similar way to restic. That way, a more secure practice could be the default operation for everyone who cared for it. Though Joplin's script may need to check whether the key was imported by the user beforehand since its script doesn't require sudo privileges.

Restic's verify.go script that verifies new packages during self-update:

For reference:
https://pthree.org/2016/02/16/checksums-digital-signatures-and-message-authentication-codes-oh-my/

Note: I started a new topic because the earlier one seemed to devolve into a different thread about separate(?) checksums and verification on other platforms. Apologies, if I shouldn't have.

1 Like