Dear zenju,
Would you please cryptographically sign the download files (binaries and sources), for example with a PGP key, and provide the signature in an additional download file suffixed by any of these usual suffixes: asc, gpg, pgp, sig and sign?
For example:
https://freefilesync.org/download/FreeFileSync_11.23_Source.zip → https://freefilesync.org/download/FreeFileSync_11.23_Source.zip.asc
If not, maybe you could provide the checksums?
Thanks
Sign your releases
- Posts: 36
- Joined: 14 Aug 2022
- Posts: 959
- Joined: 8 May 2006
+1could provide the checksums?
Though I'd think that to be problematic for the Donation versions (as they would be unique to a user).
(The .exe's (on Windows) are signed (for as far as that goes).)
- Site Admin
- Posts: 7085
- Joined: 9 Dec 2007
The FreeFileSync binaries are already signed on all platforms (Windows, Linux, macOS). The signature is checked at runtime. So if FreeFileSync starts you can be sure that the signature is valid. Otherwise you'd see an error message.
This only leaves the question: Can you trust the signature to really be authentic?
For Windows/macOS this is solved by code signing and the trust chains that transitively rely on root certificates of the OS.
And for Linux?
The binaries are signed by having the OpenSSL SHA256 digest appended to the file (the last 256 bytes). The corresponding public key is this:
This only leaves the question: Can you trust the signature to really be authentic?
For Windows/macOS this is solved by code signing and the trust chains that transitively rely on root certificates of the OS.
And for Linux?
The binaries are signed by having the OpenSSL SHA256 digest appended to the file (the last 256 bytes). The corresponding public key is this:
-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA1Oq/zre0HLevxfYLzoUj
mS1qL1Qemc6HoIqP9JmyGdk5uaiFtSSKOaWhFCVnzwiYe+BA4YXL1NIGI8mxMEek
V+HksO2rbOiAlvV35tPwWwgLNTMfE0QLnzGILS0T0yHM1My60r9Ca89CvprYdrAy
QWpV8ao1xV4OuWveAD8xxxtZlGtmOPREeWaH6UCgnoX6SJPXK/0uv0t2o+d9V/mC
xnr5XxLU8mrw4RiDn2SQoSEDzopXtO79SUo/PYxZvRewHEIT940JLMud1fkDMZ29
bkhkFrYNW1wAwZKBc5L1oeiuF8T/d9b5vIKiaZNlFTQTQ8pEMMdnR4+tze5SbqZz
0wIBEQ==
-----END PUBLIC KEY-----
- Posts: 36
- Joined: 14 Aug 2022
I was mainly interested in source file being signed actually.
- Posts: 18
- Joined: 13 Mar 2021
+1
It would be nice to have the source signed.
It would be nice to have the source signed.