Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish code signing keys and signatures for Linux #837

Closed
bsclifton opened this issue Aug 25, 2018 · 7 comments
Closed

Publish code signing keys and signatures for Linux #837

bsclifton opened this issue Aug 25, 2018 · 7 comments
Assignees
@bsclifton @mbacchi
Labels
documentation ✍️ needs-discussion Although the issue is clear, we haven't yet reached a decision about the right solution. QA/No security
Milestone
0.55.x - Release ...

Comments

@bsclifton
Copy link
Member

Carried over from brave/browser-laptop#197

We should publish our code signing keys and signatures so that anyone can independently verify them. See https://www.torproject.org/docs/verifying-signatures.html.en for an example of a project that does this.

I also think it's a good idea to sign git tags.

Our current status (browser-laptop):

  • we publish the Linux signing keys(used for .deb/.rpm packages)
  • many of us sign commits our already (which is reflected on GitHub)

On browser-laptop, end users can check the signature on the installer / binaries:

  • macOS can verify by running spctl --assess --verbose /Applications/Brave.app/. If app is signed, it should return something like this: 
    /Applications/Brave.app/: accepted
source=Developer ID
  • Windows Authenticode signature can be checked by right clicking the installer and choosing properties. Once open, go to the Digital Signatures tab and double click on the signature. Make sure it says The digital signature is OK
@bsclifton bsclifton added this to the Backlog milestone Aug 25, 2018
@bsclifton bsclifton added the needs-discussion Although the issue is clear, we haven't yet reached a decision about the right solution. label Aug 25, 2018
@bsclifton bsclifton mentioned this issue Aug 25, 2018
Closed
@diracdeltas diracdeltas modified the milestones: 1.x Backlog, Releasable builds 0.55.x Sep 5, 2018
@diracdeltas
Copy link
Member

diracdeltas commented Sep 5, 2018
edited
Loading

marking this for releasable builds since we already publish the linux signing keys on the website

as mentioned to @mbacchi and @RyanJarv we will need to rotate the keys for brave-core since they are inadequately secure. we will then need to publish the new keys before release. https://brave.com/signing-keys

@bsclifton
Copy link
Member Author

@mbacchi @RyanJarv I'd love to help with this- hit me up anytime 😄

@bkero
Copy link
Contributor

bkero commented Oct 16, 2018

I've supplied Sampson with the public signing key for our Linux builds. MacOS and Windows builds ongoing.

@bbondy
Copy link
Member

bbondy commented Oct 16, 2018

This is waiting until closer to release date, but as far as I understand everything is ready to go.

@bbondy bbondy changed the title Publish code signing keys and signatures Publish code signing keys and signatures for Linux Oct 18, 2018
@bbondy
Copy link
Member

bbondy commented Oct 18, 2018

@jonathansampson has this on staging server for Linux so I'm going to close this issue.
This issue is meant to be blocking only for Linux.

I posted this issue for Windows and macOS though:
#1703

If we get it today too that's great and we can close it too, but tracking it in 1.x in the meantime.

@bbondy bbondy closed this as completed Oct 18, 2018
@bbondy bbondy mentioned this issue Oct 18, 2018
Closed
@cg505
Copy link

cg505 commented Feb 4, 2019

Is there any plan to sign git tags?

@bsclifton
Copy link
Member Author

@cg505 that's a good request - I created an issue to track that here (in case you wanted to subscribe):
#3243

@GeetaSarvadnya GeetaSarvadnya mentioned this issue Jul 10, 2020
Closed
@rebron rebron mentioned this issue Jul 10, 2020
Closed
@LaurenWags LaurenWags mentioned this issue Jul 10, 2020
Closed
@rebron rebron mentioned this issue Jul 10, 2020
Closed
This was referenced Jul 10, 2020
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@Martina-Neumayer Martina-Neumayer mentioned this issue Jul 14, 2020
Closed
@btlechowski btlechowski mentioned this issue Jul 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bsclifton bsclifton

@mbacchi mbacchi

Labels
documentation ✍️ needs-discussion Although the issue is clear, we haven't yet reached a decision about the right solution. QA/No security
Projects
None yet
Milestone
0.55.x - Release (Release Channel)
Development

No branches or pull requests
7 participants
@bkero @diracdeltas @bbondy @cg505 @RyanJarv @bsclifton @mbacchi