https://dev.adiirc.com/https://dev.adiirc.com/favicon.ico?14868454782014-08-20T17:05:49ZAdiIRC Support/Bugs/Feature RequestsAdiIRC - Bug #1565: Code signing for program installer to verify its authenticityhttps://dev.adiirc.com/issues/1565?journal_id=38052014-08-20T17:05:49ZPer Amundsenamundsen@gmail.com
<ul></ul><p>AdiIRC is not open source so not eligible for Opensource Certum (I assume)</p>
<p>I have posted the md5 and sha1 for the setup files here <a class="external" href="http://adiirc.com/download.php">http://adiirc.com/download.php</a></p>
<p>And I'll see if I can self-sign the setup files for next release.</p> AdiIRC - Bug #1565: Code signing for program installer to verify its authenticityhttps://dev.adiirc.com/issues/1565?journal_id=38062014-08-20T18:27:26ZAlivema 4ever
<ul></ul><p>Per Amundsen wrote:</p>
<blockquote>
<p>AdiIRC is not open source so not eligible for Opensource Certum (I assume)</p>
<p>I have posted the md5 and sha1 for the setup files here <a class="external" href="http://adiirc.com/download.php">http://adiirc.com/download.php</a></p>
<p>And I'll see if I can self-sign the setup files for next release.</p>
</blockquote>
<p>Thanks for providing sha1 and md5 checksums for stable files.<br />It would be great to provide checksums for all downloadable files,<br />especially programs and setup files, including development release.</p>
<p>I think it would be better to provide OpenPGP detached signature instead<br />of self signed code signing since code signing needs trusted<br />certification authority to build a trust.</p>
<p>With OpenPGP signature, you can just create a key and publishing the<br />public key part to keyserver such as hkp://keys.gnupg.org. Then create a<br />detached signature (.asc or .sig) and publishing the detached signature<br />alongside the downloadable program and setup files.</p>
<p>A good example for OpenPGP practice for publishing program files is<br />Putty ssh client software. You can take a look at Putty download site,<br />which provides detached signatures for downloadable program files. The<br />signature can be verified using OpenPGP software such as cygwin gpg or<br />gpg4win.</p> AdiIRC - Bug #1565: Code signing for program installer to verify its authenticityhttps://dev.adiirc.com/issues/1565?journal_id=38072014-08-20T18:28:48ZPer Amundsenamundsen@gmail.com
<ul></ul><p>I meant self signing with pgp key.</p> AdiIRC - Bug #1565: Code signing for program installer to verify its authenticityhttps://dev.adiirc.com/issues/1565?journal_id=38082014-08-20T18:44:46ZPer Amundsenamundsen@gmail.com
<ul></ul><p><a class="external" href="http://adiirc.com/integrity.php">http://adiirc.com/integrity.php</a></p>
<p>There is a link on the download page to this, should be good enough.</p> AdiIRC - Bug #1565: Code signing for program installer to verify its authenticityhttps://dev.adiirc.com/issues/1565?journal_id=38162014-08-24T12:25:56ZPer Amundsenamundsen@gmail.com
<ul><li><strong>Category</strong> set to <i>Interface</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Resolved</i></li><li><strong>Assignee</strong> set to <i>Per Amundsen</i></li><li><strong>Target version</strong> set to <i>1.9.4</i></li></ul><p>From now on PGP files are automatically created and updated whenever a new release (beta or stable) is uploaded.</p>
<p>here <a class="external" href="http://adiirc.com/integrity.php">http://adiirc.com/integrity.php</a></p> AdiIRC - Bug #1565: Code signing for program installer to verify its authenticityhttps://dev.adiirc.com/issues/1565?journal_id=38172014-08-24T12:26:04ZPer Amundsenamundsen@gmail.com
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Closed</i></li></ul>