Bug #1565
closedCode signing for program installer to verify its authenticity
0%
Description
Since downloaded files tend to be corrupted, it's better for AdiIRC to include code signing. This is preferred way to verify program integrity on Windows.
You could get a free code signing for Opensource developers from Certum[[http://stackoverflow.com/questions/1177552/code-signing-certificate-for-open-source-projects]].
If this is not possible for some reason, it would be better to provide alternative way to verify downloaded installer, such as OpenPGP detached signature (.sig or .asc file), SHA256/384/512SUM, or at least MD5SUM.
By providing several ways to verify program authenticity, you are making sure that the integrity of program installer is authentic, so that users are worried by virus or malware hiding inside the program installer.
Updated by Per Amundsen about 10 years ago
AdiIRC is not open source so not eligible for Opensource Certum (I assume)
I have posted the md5 and sha1 for the setup files here http://adiirc.com/download.php
And I'll see if I can self-sign the setup files for next release.
Updated by Alivema 4ever about 10 years ago
Per Amundsen wrote:
AdiIRC is not open source so not eligible for Opensource Certum (I assume)
I have posted the md5 and sha1 for the setup files here http://adiirc.com/download.php
And I'll see if I can self-sign the setup files for next release.
Thanks for providing sha1 and md5 checksums for stable files.
It would be great to provide checksums for all downloadable files,
especially programs and setup files, including development release.
I think it would be better to provide OpenPGP detached signature instead
of self signed code signing since code signing needs trusted
certification authority to build a trust.
With OpenPGP signature, you can just create a key and publishing the
public key part to keyserver such as hkp://keys.gnupg.org. Then create a
detached signature (.asc or .sig) and publishing the detached signature
alongside the downloadable program and setup files.
A good example for OpenPGP practice for publishing program files is
Putty ssh client software. You can take a look at Putty download site,
which provides detached signatures for downloadable program files. The
signature can be verified using OpenPGP software such as cygwin gpg or
gpg4win.
Updated by Per Amundsen about 10 years ago
http://adiirc.com/integrity.php
There is a link on the download page to this, should be good enough.
Updated by Per Amundsen about 10 years ago
- Category set to Interface
- Status changed from New to Resolved
- Assignee set to Per Amundsen
- Target version set to 1.9.4
From now on PGP files are automatically created and updated whenever a new release (beta or stable) is uploaded.
Updated by Per Amundsen about 10 years ago
- Status changed from Resolved to Closed