Make the binary more secure (sign+GPG) about simplewall HOT 23 CLOSED

nice idea! how?

from simplewall.

• now added GPG key to GitHub and this will be sign all commits.
• uploaded key to the SKS keyserver (hkps.pool.sks-keyservers.net) and PGP keyserver (keyserver.pgp.com) in future i can sign binaries with GPG

from simplewall.

done! version is NOT changed!

http://www.henrypp.org/product/simplewall#gpg

UPD: and website are updated!

from simplewall.

Nice!

Now we need the .asc file for the binary so we can check the signature.

Also it would be good if you can copy your pubkey.txt to GitHub so you have in case of infected own server a secure copy on GitHub.
I sign your key (5635B5FD) with my key (620F071D) so it get more trustworthy.

from simplewall.

Okay, i hear you. I put sign for installer in next version.

from simplewall.

Done. All is done. Added installer signature for all projects.

https://github.com/henrypp/simplewall/releases/download/v.1.6.5/simplewall-1.6.5-setup.sig

from simplewall.

Thank you!
Works fine now

from simplewall.

As for digital signing i have no idea. But i'm sure it exist tutorials on internet

But for GPG signature thats easy: install GPG, create a 4096bit key with valid contact info (mail and your real name or your username here), upload your public key to the GPG server, sign the binary and provide the .asc file under downloads. You need then sign every binary
With the .asc file and your public key we can verify the binary is realy from you.

And we can sign your public key to strengh it.
Also you need to publish your public key ID with fingerprint on https://github.com/henrypp/simplewall so all users can import your key and can check if the key ID is correct

Edit: Also you can then sign your github commits with the same key- or another key. For that you need to enter the key in your github settings.

from simplewall.

Nice!

Please post your GPG Key (with fingerprint) on https://github.com/henrypp/simplewall so we can use it.

from simplewall.

push
i still miss your GPG key info. See my post above

from simplewall.

i think where do i post this key, because i will sign all apps and post it on all repos is not rational.
maybe add information into "readme.md" with link for key on a keyserver and fingerprint.
anyway, what do i post - secret key or public (or both of them)?

from simplewall.

Into readme with key ID & finterprint is enough.
You just need to post your public key ID (0xYOUR KEY ID) with the fingerprint.
For example here mine:
0x620F071D (github show 97F9E213620F071D but GPG4Win only the short version which is still enough) - fingerprint: 3D3A A8EA 763A A97D A252 0714 97F9 E213 620F 071D

Also you should NEVER post anywhere your secret key. This is very important and should be always offline.

from simplewall.

push
Also it would be nice if you can sign the latest version and make a new release, maybe 1.6.5.1 because its a small change and dont change the code

from simplewall.

Attach .asc to every binary... i can't. I put key id and his link on ha.pool.sks-keyservers.net on a website.
I think this is enough!

I sign your key (5635B5FD) with my key (620F071D) so it get more trustworthy.

Thank you

from simplewall.

But we need the .asc files to check the signature. Without it isnt possible!
The command is gpg --verify [[ sigfile ] [ signed-files ]]

See here for create that asc files: https://www.gnupg.org/gph/en/manual/x135.html

Also the SHA256 checksum is now wrong for the signed binary

from simplewall.

simplewall sha256 is A-ok.

Sign .exe with: gpg --output [ sigfile ] --detach-sign [ signed-files ]

And uploaded pubkey to all repos.

from simplewall.

We cant get the .asc file.
You need to publish it.
And without it we cant verify the binary with your key

from simplewall.

Why you cant? Here https://raw.githubusercontent.com/henrypp/simplewall/master/pubkey.asc

from simplewall.

Because that doesnt work.
If i try "gpg --verify pubkey.asc simplewall-1.6.5-setup.exe" i got a unknown error.
Same when i rename pubkey.asc to simplewall-1.6.5-setup.exe.asc

from simplewall.

• pubkey.asc - isn't signature, it's a public key for import into local gpg database.
• simplewall.sig - is a signature and signed only binaries simplewall.exe (32/64)

Example:

gpg --import pubkey.asc
gpg --verify simplewall.sig simplewall.exe

from simplewall.

Yeah i know.
But where i get the simplewall.sig file?

from simplewall.

Near with simplewall.exe

from simplewall.

So you only signed the binarys from the packed .zip version and the installed binarys from installer .exe version?
For installer version that isnt good. Better signed the whole installer.exe because we need to verify it before we start the .exe with adminrights

from simplewall.