Please provide sig files for builds

[John-Gee]

Which feature is your request related to?

Security of builds.

Is your request related to a problem? Please describe.

No.

Describe the solution you'd like:

I'd like signature (ie public keys/private keys signatures) to be provided to verify that the builds are safe.

Describe alternatives you've considered:

None

Additional context:

I maintain the AUR package for this and would like add more security to it.
Thanks!

@thedoublejay

[github-actions]

@John-Gee: Thanks for opening an issue, it is currently awaiting triage.

The triage/accepted label can be added by foundation members by writing /triage accepted in a comment.

In the meantime, you can:

1. Checkout DeFiChain’s Github issue page to see if your issue has already been reported
2. Submit any logs if you have them, this will greatly expedite the process for us.
3. You can also join our Telegram or Reddit community channels.

Details

I am a bot created to help the BirthdayResearch developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the DeFiCh/oss-governance-bot repository.

[John-Gee]

ping @thedoublejay

[John-Gee]

Ping @fullstackninja864

[fullstackninja864]

Please check https://github.com/BirthdayResearch/defichain-app/releases/tag/v4.0.9

[John-Gee]

I don't see signatures, only hashes.

…

On May 17, 2024 12:15:25 AM PDT, Harsh R ***@***.***> wrote: Please check https://github.com/BirthdayResearch/defichain-app/releases/tag/v4.0.9 -- Reply to this email directly or view it on GitHub: #1270 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>

[fullstackninja864]

How you check whether app is signed or not ?
try this codesign -dv /Applications/DeFi\ Wallet.app if app is not signed then it will return /Applications/DeFi Wallet.app: code object is not signed at all otherwise it will return sign details

[John-Gee]

GPG is used to verify the signature from the sig file against a database of signatures, and then it'll verify the app image against it.

…

On May 17, 2024 12:58:56 AM PDT, Harsh R ***@***.***> wrote: How you check whether app is signed or not ? try this `codesign -dv /Applications/DeFi\ Wallet.app ` if app is not signed then it will return `/Applications/DeFi Wallet.app: code object is not signed at all` otherwise it will return sign details -- Reply to this email directly or view it on GitHub: #1270 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>

[John-Gee]

The point is to verify that the provided file on GH was created by the right person/service and not hijacked. The hash only tells us if the file was downloaded correctly, since if someone has the ability to change the app image they can change the hash just as easily. Look at what bitcoin provides for reference: https://bitcoincore.org/bin/bitcoin-core-27.0/

…

On May 17, 2024 10:35:25 AM PDT, John ***@***.***> wrote: GPG is used to verify the signature from the sig file against a database of signatures, and then it'll verify the app image against it. On May 17, 2024 12:58:56 AM PDT, Harsh R ***@***.***> wrote: >How you check whether app is signed or not ? >try this `codesign -dv /Applications/DeFi\ Wallet.app ` if app is not signed then it will return `/Applications/DeFi Wallet.app: code object is not signed at all` otherwise it will return sign details > >-- >Reply to this email directly or view it on GitHub: >#1270 (comment) >You are receiving this because you were mentioned. > >Message ID: ***@***.***>