Provide GPG Signatures / SHA-256 Checksums for Downloads on signal.org #1689
Comments
|
Today you can look at binary digital signatures on OSX and Windows, and the apt install mechanism includes gpg signatures. |
|
yep i know. but normally i prefer the sha256 or sha512 checksums of an archive over the OSX signing or in certain cases i check both. On the other hand is the developer ID application authority |
|
Thanks a good idea, thanks. Yep, that is the correct signing name. |
|
@scottnonnenberg can you please provide the fingerprints for the keys that are used to sign the apt packages. I would like to verify the key via a second channel before adding it to my apt key store. |
|
Funny. We had it in our alpha install instructions, but we thought it was too technical for the average user so we didn't put it on https://signal.org/download. The gpg fingerprint is |
|
Thanks, @scottnonnenberg. Putting it to the download section as an optional step would be helpful for those who want to verify whom we trust. |
|
Would it also be too much to ask to send your key to a keyserver? That helps increase the level of confidence when verifying a key. I'm not seeing either Whisper Systems or "Riddle Quiet" in a key search. |
|
Pubkey for FYI: Here are the checksums for the files I downloaded: |
|
^^ thanks. I totally agree, developer GPG fingerprints and signed releases or checksum files should be provided on the downloads page as standard practice. Maybe even write a tutorial for less technical users, like Tor or Tails has. If the average user doesn't want to verify the integrity of their downloads, fine, but I think most of the privacy minded individuals (probably your largest audience) certainly do. Great product. All the best. |
|
For v1.1.0 : |
|
Looks like the Chrome app has reached EOL. @scottnonnenberg Can you please confirm these are correct for v1.5.1: Any chance you could start providing a signature like this when you tag a release? |
gasi-signal
changed the title
|
I see the latest version for Mac is 1.7.0. I wanted to download it. But can't find a checksum on the website. Would it be possible to add a link to all checksums at the bottom of the download page? |
|
No checksum nor GPG sig available on https://signal.org/download/ |
|
i cannot install the desktop version for macos because there is not checksum provided for the 1.17.1 release version. All i find on the github is a yml file containing the signature of a beta version but that does not match the zip file i download from https://signal.org/download/ so i don't feel i can safely install this application |
|
Release v1.17.1 Edit: fixed link to tag. |
|
@jonathancross Can we get some updated checksums for 1.18.0? |
|
Release v1.18.0 and legacy v0.48.1: Edit: Added in a new "import" version I discovered "signal-desktop-mac-1.18.0-import.zip". |
|
Thanks! |
|
Release v1.18.1 |
|
Still waiting on official checksums for the developers. Would it really kill you guys to add this to your CI pipeline? Please go the extra inch if you really care about the security of your users |
|
checksums / sigs for 1.19? more than a year since this issue was raised, and developers are still not putting these out with each new release. on encryption software. takes what, 5 minutes? I don't get it. |
|
@MrPaz @joeminicucci Please help crowd source a bit of security here by providing your own PGP-signed hashes. You can also verify mine and those from @daviewales (just give it a 👍 if correct) |
|
|
I got the same checksums as @daviewales for v1.19.0 (and added in signal-desktop-mac-1.19.0-import.zip): |
|
Apparently, this issue is preventing signal from being packaged in the official Arch Linux repositories. |
|
@scottnonnenberg-signal thoughts on the earlier requests above to simply provide checksums, or a link to another page with them, on https://signal.org/download for the security-conscious user? It seems posting this for all OS's at a release should be some low-hanging fruit. As a signal desktop user on Mac (can't w/ confidence on RPM-based linux), I think the only way to verify files downloaded (other than by something like Thanks for your efforts - love the product and the new features (emoji search, etc.), but would like to have more confidence in the files downloaded. |
|
Something like Anaconda does would be really nice. |
|
A gpg signature is far better than a checksum listed on a website (those do not provide any additional security). The Web Of Trust can be used to identify the key. |
|
Exactly. Anyone sophisticated enough to upload malicious binaries to the Signal website is sophisticated enough to upload the hash of the malicious binaries to the Signal website. Signing the files using either the Web of Trust (GPG) or trusted certificate authorities is the only way to guarantee that the files were approved by members of the Signal team. The advantage of GPG is that you don't have to trust certificate authorities. The disadvantage of GPG is that not many people have a sufficiently complete Web of Trust. Another advantage of the Web of Trust is that it is decentralised, which makes it harder for hostile governments to control it. However, even if your web of trust is incomplete, you can at least have the assurance that the signing key has not changed since you first downloaded it. If the same signing key is valid over a long period of time, it increases one's confidence. |
Sorry if this is naive, but isn't there a case where the malicious binaries are not uploaded to signal but my ISP (maybe in a country with state run ISPs) replaces the binary on the way down? In this case the sha256 would not match the website. I'm not denying that the gpg signed hash is better. It obviously is. Just asking a technical question. (I have spent some time reading on https and man-in-the-middle and it seems that there are possible scenarios). |
|
Imagine the worst case scenario: Your ISP forces you to install a root certificate so they can monitor and intercept (Man in the Middle) even your encrypted https traffic. This is the only way they could replace the signal binary in transit. If they can replace the Signal binary in transit, they can also replace the hash page in transit. The reason that GPG can escape this kind of problem is that the you can build the Web of Trust 'out of band', or offline. If I have seen and signed your GPG key with my GPG key, there is no way for any signed message from you to be faked. The only option is for the malicious third-party to obtain a copy of your private key, which should ideally be stored offline, and encrypted with a strong password. |
@jerlich yes - to your general question. Keep in mind caching where a site will allow caching downstream (at the ISP, etc. level). There are cache poisoning, etc. attacks where exactly what you're saying can happen - the downstream caching proxy can somehow contain the wrong, or a malicious, version of the file. There are different ways for this to be setup, but the file can, at the surface, look as if it came from the originally requested site instead of an intermediate cache. Again - impetus to use some kind of out-of-band encryption/verification that @daviewales alluded-to. |
|
This thread is older, i know. But for me still an open case. Anybody ever listened to Jack Rhysider's podcast "Darknet Diaries"? I know, just some rumors, but there are more and more cases, where the Signal App was replaced with a trojan one.. example: Episode 38 - Dark Caracal Having then no quick view / way to go to verify the integrity is really bad... Can we somehow help out? |
|
We have an existing, cryptographically strong mechanism for verifying updates: Signal-Desktop/ts/updater/macos.ts Lines 77 to 78 in 5eef2ee That's probably your best bet for verifying that builds are trustworthy. If you need .sig files for Linux |
|
Well that's good for updates, but not really for a first-installation...
Currently for mac.. but providing it in general would really be nice |
|
@fanvyr Should be useful for new installations as well. You can pull down the build and the |
|
Ah awesome, let me check that out. Missed that. |
|
@scottnonnenberg-signal sorry for the probably naive question but where those |
|
@rpkoller For example, the most recent macOS build has a sig: https://updates.signal.org/desktop/signal-desktop-mac-1.32.1.zip.sig. We don't generate a |
|
@scottnonnenberg-signal ah thanks scott didn't know that! but i ran into one follow up question. :/ what is the signing key then used generating the sig file? Was unable to find any on the signal.org website. Tried to verify the zip file with the pub key found on the keyserver by Curt Brune (Signal Artifact Signing) there but that seems not to be the right one which generated the sig file. |
|
With PGP we have a way to establish the correct signing key (meeting in person, Web of Trust, etc) -- How can we establish the correct signing key in this workflow? |
|
The public key for our updates key pair is here: Signal-Desktop/config/default.json Line 6 in f64ca0e |
|
Putting on my tinfoil hat... Why should we simply trust GitHub Inc (and everyone who has access to the infrastructure -- officially and unofficially) and DigiCert Inc (and everyone there), etc that this is the correct key? It is unlikely that I am seeing a different key, sig and zip file than others here, but completely possible. Looking at the history of that file, I see that a GH user called @scottnonnenberg added the file and signed their commits. Then later @scottnonnenberg-signal added this key in question with an unsigned commit: c8ea2e9#diff-1e9c3d615e9ebaaaa3669b4c2fd87d00 That commit could have been added by malware on your system, a GitHub employee, and many others. It could even be that I am the only one seeing this particular key. I understand this might sound outlandish, but such a scenario is exactly the type of thing Signal devs should consider if making a tool that challenges the surveillance state. A MITM attack like this would absolutely be used against high value targets. It would be nice if there was at least an attempt to mitigate such attacks using basic, well-known tools such as |
|
@scottnonnenberg-signal hmmm somehow i am unable to manage to import that public key you've mentioned in #1689 (comment) into my gpg keychain. so the next step verifying the recent zip archive with the according sig file. :/ |
@rpkoller - It is not a gpg key. |
|
@jonathancross ahhh now i slightly grasp your remark in #1689 (comment) ... but github even supports gpg signage of commits :/ i suppose that would be more trustworthy in comparison to the procedure with github internal system ... and out of curiosity how you are able to verify the releases in the current setup? searched all over the documentation but either found gpg related stuff or how to commit but not how to verify the results? |
Hey man, how to gen .sig file when build release update new version for signal desktop |
|
@thinh185 that quote has nothing to do with OpenPGP |
|
Given the EncroChat hack. I would suggest this Issue has become more urgent. This also goes for the client verifying that downloaded automatic upgrades are signed by the Signal Code Signing key (If this is not happening already). If the Signal Domain (or even computer issuing the binaries) was compromised and dodgy binaries go flying out, that's the end of Signal, full stop, forever. All users kiss Signal goodbye. |
|
There will be a flood of new Signal users as a result of Facebook's Whatsapp privacy policy change taking effect 2021-02-08. People leaving Whatsapp for privacy reasons are more likely to be interested in the security of their replacement solution. The Signal Windows app download page doesn't provide any kind of checksum details. Wasn't able to find them on download pages for other OSen either. |
|
+1 for having signed hashes available for releases. |
|
+1 too. Checksums and most importantly, GPG signatures. Doing this for new releases allows us to be more confident from the get-go, since we can then trust the updates too. Seriously guys this is basic security 101 - WTF????? If you think putting the signature files up for download is going to scare people off because it is too technical, then put it on a separate page like the stand-alone APK file download is. |
|
Please reopen this issue. It's 2024 and there are still no clear and simple ways to easily verify the integrity of these downloads. The resistance on the topic makes be seriously doubt the integrity of Signal. I love the app, but this wreaks of bad intent. |
and others
Hi it would be neat if sha256 checksum could be provided on signal.org so the integrity of the downloaded of app archives could be validated. Cheers Ralf
The text was updated successfully, but these errors were encountered: