Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verification of Binary Signature Missing #1472

Open
gernotpokorny opened this issue Nov 15, 2024 · 0 comments
Open

Verification of Binary Signature Missing #1472

gernotpokorny opened this issue Nov 15, 2024 · 0 comments

Comments

@gernotpokorny
Copy link

How can I verify that the keystone3.bin binary was actually signed by you? Where can I download the public key for signature verification?

Currently, you only verify that the binary downloaded onto the device is the same as the one that was initially downloaded. However, this does not guarantee that the binary is legitimate, as it could have been tampered with (e.g., if the website was compromised). The use of a checksum (like SHA-256) ensures that the file hasn't been altered during the download process, but it doesn’t protect against malicious files being downloaded in the first place.

At this point, to verify the integrity of the binary, I would need to install it and compare it with my local build (created from the source code on GitHub). As a user, I would feel more confident if there was a way to independently verify that you signed the binary before I proceed with installation.

It would be very helpful if you could provide a signature verification process and make the corresponding public key available. This way, users can be certain that the binary was signed by you before installation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant