Project

General

Profile

Bug #1565

closed

Code signing for program installer to verify its authenticity

Added by Alivema 4ever about 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Immediate
Assignee:
Category:
Interface
Target version:
Start date:
08/20/2014
Due date:
% Done:

0%

Estimated time:
Operative System:
All
Regression:
No

Description

Since downloaded files tend to be corrupted, it's better for AdiIRC to include code signing. This is preferred way to verify program integrity on Windows.
You could get a free code signing for Opensource developers from Certum[[http://stackoverflow.com/questions/1177552/code-signing-certificate-for-open-source-projects]].

If this is not possible for some reason, it would be better to provide alternative way to verify downloaded installer, such as OpenPGP detached signature (.sig or .asc file), SHA256/384/512SUM, or at least MD5SUM.

By providing several ways to verify program authenticity, you are making sure that the integrity of program installer is authentic, so that users are worried by virus or malware hiding inside the program installer.

#1

Updated by Per Amundsen about 7 years ago

AdiIRC is not open source so not eligible for Opensource Certum (I assume)

I have posted the md5 and sha1 for the setup files here http://adiirc.com/download.php

And I'll see if I can self-sign the setup files for next release.

#2

Updated by Alivema 4ever about 7 years ago

Per Amundsen wrote:

AdiIRC is not open source so not eligible for Opensource Certum (I assume)

I have posted the md5 and sha1 for the setup files here http://adiirc.com/download.php

And I'll see if I can self-sign the setup files for next release.

Thanks for providing sha1 and md5 checksums for stable files.
It would be great to provide checksums for all downloadable files,
especially programs and setup files, including development release.

I think it would be better to provide OpenPGP detached signature instead
of self signed code signing since code signing needs trusted
certification authority to build a trust.

With OpenPGP signature, you can just create a key and publishing the
public key part to keyserver such as hkp://keys.gnupg.org. Then create a
detached signature (.asc or .sig) and publishing the detached signature
alongside the downloadable program and setup files.

A good example for OpenPGP practice for publishing program files is
Putty ssh client software. You can take a look at Putty download site,
which provides detached signatures for downloadable program files. The
signature can be verified using OpenPGP software such as cygwin gpg or
gpg4win.

#3

Updated by Per Amundsen about 7 years ago

I meant self signing with pgp key.

#4

Updated by Per Amundsen about 7 years ago

http://adiirc.com/integrity.php

There is a link on the download page to this, should be good enough.

#5

Updated by Per Amundsen about 7 years ago

  • Category set to Interface
  • Status changed from New to Resolved
  • Assignee set to Per Amundsen
  • Target version set to 1.9.4

From now on PGP files are automatically created and updated whenever a new release (beta or stable) is uploaded.

here http://adiirc.com/integrity.php

#6

Updated by Per Amundsen about 7 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF