Verify download authenticity

So far is does not seem that the app is verifiable in any way.

Therefore i request it. Ideally this would be possible with gpg and the fingerprint provided in the download section.



@kocj welcome to the forum.

There has been some recent discussion about this and similar matters on the forum.


I think the extra effort of providing means of checking integrity and authenticity are well worth it. Admitted a note app may not be as critical as your password manager, but why implement encryption if you can't be sure of what code you're running in the first place ? I provide a link to the related KeepassXC page here, which provides some good explanation of why and how.

@ajay welcome to the forum.

The downloads are code-signed using Joplin's certificates so any modifications would show as a code-signing failure.

Of course this does not apply to Linux AppImages so the devs provide a SHA512 hash for the AppImage so the download integrity can be confirmed.



Thanks for your answer, I must have missed it.
While I understand what you're saying, you have to admit that this is not as obvious or transparent to the unprepared user as a hash provided separately, or a PGP signature.

I don't understand. It is provided separately.

I understood dpoulton was saying that no hash codes are published. So I said, a hash published on the Joplin website "might" be more more useful.
When you say "it is provided separately", can you let me know where ? Can I download a hash for every Joplin version ?
Or did I misunderstand dpoulton ?

As I understand it, all downloads except for the AppImage are code-signed using Joplin's certificates and the installers have inbuilt integrity checking. The package is protected as any alteration would show as a code-signing or integrity failure. Agreed it is not obvious to the user that this is happening but it is totally transparent and requires no additional user action, such as installing and using GPG or a hash checking utility.

To be certain I just took a Joplin installer for Windows and opened it in WinHex. At a random point in the file I changed just one "nibble" from F to 0 so the single byte value went from x0F to x00. I then tried to run the installer and got this.


As mentioned previously, the AppImage is an exception and so a SHA512 hash signature can be found in each version's Releases area on GitHub (see the image in my post above).


And on macOS, the app is both signed and notarized, which means the binary we published can't be altered and has been certified by Apple to be free of malware.

In Windows, I think there's also a process similar to notarisation but done in a more subtle way. Windows seems to gather data every time an executable is launched or maybe every time it's scanned for viruses, and over time an app is going to build-up a reputation score. Once it's high enough it's possible to launch it without any warning (Joplin got to that point by now, but at first there was always a warning, even though the app was signed).

1 Like

Thanks for filling in, Laurent. May be you explained this somewhere else before, but I couldn't find it. My main device being a Macbook, your answer ... makes me happy.

Thanks, Joplin is a great app.

I use AppImages and have no access to Booge play (voluntary).
Offering PGP signed downloads with the public key published still adds trust for more and more privacy aware people.

Please consider it.

Thanks again, kocj