Add signing to SailfishOS SDK [answered]
When I download SailfishOS SDK I would like to download a gpg signature file, so that I can verify the integrity of the installation package.
We have moved to a new Sailfish OS Forum. Please start new discussions there.
When I download SailfishOS SDK I would like to download a gpg signature file, so that I can verify the integrity of the installation package.
MD5 checksums for the current installer packages are available here: https://sailfishos.org/wiki/FileInformation_SDK_1410 and https://sailfishos.org/wiki/FileInformation_SDK_1407. This information should be sufficient for verifying the integrity of the downloaded installer packages. Obviously by providing a digital signature file one could also verify the authenticity of the downloaded installer packages, but basically, as a secure connection is used, sailfishos.org itself would have to be compromised for the authenticity check to fail. So in my opinion GPG signature files wouldn't add that much more value to the already provided checksums.
Do you consider it impossible for sailfishos.org to be hacked into? :)
I would feel better if there would be a PGP signature included from an "official" Jolla/Sailfish key, created from a more secure internal machine during the release process. I'm in security and it would be somewhat embarrassing if something were to happen to my own laptop because of installing an unsigned binary, not to mention the mess created if my SDK-generated binaries would themselves spread malware to anyone using my compiled code.
Unless distributed out-of-band, a checksum is useless as anybody who can modify the binary, can also modify the provided checksum.
wvh ( 2015-11-08 15:35:07 +0300 )editThis thread is public, all members of Together.Jolla.Com can read this page.
Asked: 2014-11-08 20:05:03 +0300
Seen: 237 times
Last updated: Nov 09 '14
Is there proper C++ & QML example? [answered]
Is there a working code example using shared objects? [answered]
Themes (not just ambiences) [answered]
Device setup documentation in dev docs points to non-existing option [answered]
Integrate QA testing scripts with Sailfish SDK [released]
SDK user shouldn't use developer's dotfiles [released]
Font changes in deployed applications
use Qt5Mozilla for app webviews instead of QtWebkit
email signature separator: use standard dash dash space "-- " [answered]