From f8bc4ee5873f9b004a984e26c8a9b14d3542d5c3 Mon Sep 17 00:00:00 2001 From: askmeaboutloom Date: Mon, 21 Oct 2024 21:40:08 +0200 Subject: [PATCH] Document client dependencies for code signing For transparency, since these shared libraries get signed along with our executable. --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index b04d2aa656..617704af4f 100644 --- a/README.md +++ b/README.md @@ -25,3 +25,20 @@ Pull requests are welcome, be it for code or anything else! If you want to contr If you want to translate Drawpile to your language, take a look at [Drawpile on Weblate](https://hosted.weblate.org/engage/drawpile/). You can translate it directly in the browser. [![translation status](https://hosted.weblate.org/widgets/drawpile/-/287x66-grey.png)](https://hosted.weblate.org/engage/drawpile/) + +## Client Dependencies + +The Drawpile client uses the following shared libraries: + +* Qt (all platforms) +* OpenSSL (all platforms) +* KDE Framework Archive (Windows, Linux AppImage, Android) +* libzip (macOS, Linux Flatpak) + +On Windows, these libraries are signed along with the executable using free code signing provided by [SignPath.io](https://about.signpath.io/) and a certificate by [SignPath Foundation](https://signpath.org/). See [the code signing policy on drawpile.net](https://drawpile.net/codesigningpolicy/) for details. + +The dependencies are pinned to known good versions and the source code for is verified against the hashes and signatures provided in their releases from upstream. SHA384 hash checks are also done for each build to ensure integrity of the source code retrieved from upstream. + +We make some patches to these dependencies when building the application, which you can find in [.github/scripts/patches](.github/scripts/patches). Each patch file contains a description as to what it does. + +You can find build processes, versions, the upstream source URLs and hashes [for Qt and OpenSSL here](.github/scripts/build-qt.cmake) and [for KDE Framework Archive and libzip here](.github/scripts/build-other.cmake).