We have moved to a new Sailfish OS Forum. Please start new discussions there.
8

Add signing to SailfishOS SDK [answered]

asked 2014-11-08 20:05:03 +0300

alloj gravatar image

When I download SailfishOS SDK I would like to download a gpg signature file, so that I can verify the integrity of the installation package.

edit retag flag offensive reopen delete

The question has been closed for the following reason "the question is answered, an answer was accepted" by eric
close date 2014-11-11 10:26:09.958193

1 Answer

Sort by » oldest newest most voted
1

answered 2014-11-09 17:36:08 +0300

Jare gravatar image

MD5 checksums for the current installer packages are available here: https://sailfishos.org/wiki/FileInformation_SDK_1410 and https://sailfishos.org/wiki/FileInformation_SDK_1407. This information should be sufficient for verifying the integrity of the downloaded installer packages. Obviously by providing a digital signature file one could also verify the authenticity of the downloaded installer packages, but basically, as a secure connection is used, sailfishos.org itself would have to be compromised for the authenticity check to fail. So in my opinion GPG signature files wouldn't add that much more value to the already provided checksums.

edit flag offensive delete publish link more

Comments

1

Do you consider it impossible for sailfishos.org to be hacked into? :)

I would feel better if there would be a PGP signature included from an "official" Jolla/Sailfish key, created from a more secure internal machine during the release process. I'm in security and it would be somewhat embarrassing if something were to happen to my own laptop because of installing an unsigned binary, not to mention the mess created if my SDK-generated binaries would themselves spread malware to anyone using my compiled code.

Unless distributed out-of-band, a checksum is useless as anybody who can modify the binary, can also modify the provided checksum.

wvh ( 2015-11-08 15:35:07 +0300 )edit

Question tools

Follow
2 followers

subscribe to rss feed

Stats

Asked: 2014-11-08 20:05:03 +0300

Seen: 237 times

Last updated: Nov 09 '14

Related questions

Is there proper C++ & QML example? [answered]

Application deployment to device fails with libsailfishapp.so.1 missing [with answer included] [answered]

Is there a working code example using shared objects? [answered]

Themes (not just ambiences) [answered]

Device setup documentation in dev docs points to non-existing option [answered]

Integrate QA testing scripts with Sailfish SDK [released]

SDK user shouldn't use developer's dotfiles [released]

Font changes in deployed applications

use Qt5Mozilla for app webviews instead of QtWebkit

email signature separator: use standard dash dash space "-- " [answered]

Copyright © Jolla Ltd. 2013-2019. All rights reserved.
about | faq | help | privacy policy | terms of service | give feedback
Powered by Askbot version 0.7.49