Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cryptographic Signing of Releases (PGP Signatrure Verification) #3260

Open
maltfield opened this issue Jun 23, 2023 · 1 comment
Open

Cryptographic Signing of Releases (PGP Signatrure Verification) #3260

maltfield opened this issue Jun 23, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@maltfield
Copy link

Feature Request

Currently it is not possible to verify the cryptographic authenticity after downloading the Trust Wallet software because the releases are not cryptographically signed.

This makes it hard for Trust Wallet users to safely obtain the Trust Wallet software, and it introduces them to supply chain attacks.

Steps to Reproduce

  1. Go to the https://github.com/trustwallet/wallet-core/releases or https://trustwallet.com/download
  2. ???

Expected Behavior

A few things are expected:

  1. I should be able to download the Trust Wallet Team's Software Release PGP Public Key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
  2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
  3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions Affected

Everything, all versions.

Use case

Installing the software securely

Suggested implementation

Cryptographic signing of all software releases with PGP

@maltfield maltfield added the bug Something isn't working label Jun 23, 2023
@maltfield
Copy link
Author

maltfield commented Jun 23, 2023

Remember: monero's release infrastructure has already been comprimised once.

And here's a great list of historically relevant cases where this has happened to other open-source projects:

Monero is a good case study because they actually were cryptographically signing their releases with PGP. Because of this, their users had a means to detect that the software they downloaded was malicious. It was reported to the developers, and the issue was promptly resolved.

But without signing releases (as is currently the case with Trust Wallet), a user has no way to know if the software they downloaded is [a] authentic or [b] maliciously modified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants
@maltfield and others