Signing Package Installers

billybobfrank · 2020-04-18T21:53:23.039Z

Any plans of adding GPG signatures for all the installers? Especially for those who do not use Google Play. Would be a very nice added security feature. Thoughts?

tessus · 2020-04-18T23:01:40.441Z

The packages are built via the CI pipeline (at least I think), thus this would have to be included somehow. Without a paid CI account, it might be impossible to use a private key to sign packages via a public pipeline.

billybobfrank · 2020-04-19T00:37:40.755Z

Is there anything that can be done in the short term to verify the integrity of the installer?

tessus · 2020-04-19T00:46:45.808Z

Not sure. I think this has to be done by Laurent, unless he distributes a gpg key I can use to sign the packages. But we’d still need a script that downloads the packages in question and adds the signatures. This has to be automated. I certainly don’t want to do this manually nor am I sure where to put the signatures.
At one point I looked at the gh api, but I haven’t found an easy way to use it in scripts and I don’t have the time to code it from scratch.

bedwardly-down · 2020-04-19T01:17:21.922Z

@billybobfrank, this pretty similar to what you’re wanting?

Request: Implementing MD5 Checksum Into The Joplin Build Process

billybobfrank · 2020-04-23T14:12:48.331Z

Thanks for sharing that link @bedwardly-down

That is certainly a great start for verify the integrity of the installer files. As @dpoulton mentioned in that thread, GPG signing keys are an extra layer of security. IDK, maybe I’m just being extra paranoid. Baby steps though.

laurent · 2020-04-23T14:51:47.686Z

All APK packages are signed so it’s not possible to tamper with them. If you build the APK yourself for example, and try to install it on your device it won’t work because Android will detect the different signatures (or lack of signature).