Sign your releases

[daviank]

Dear zenju,

Would you please cryptographically sign the download files (binaries and sources), for example with a PGP key, and provide the signature in an additional download file suffixed by any of these usual suffixes: asc, gpg, pgp, sig and sign?

For example:
https://freefilesync.org/download/FreeFileSync_11.23_Source.zip → https://freefilesync.org/download/FreeFileSync_11.23_Source.zip.asc

If not, maybe you could provide the checksums?

Thanks

[therube]

could provide the checksums?

+1
Though I'd think that to be problematic for the Donation versions (as they would be unique to a user).


(The .exe's (on Windows) are signed (for as far as that goes).)

[Zenju]

The FreeFileSync binaries are already signed on all platforms (Windows, Linux, macOS). The signature is checked at runtime. So if FreeFileSync starts you can be sure that the signature is valid. Otherwise you'd see an error message.

This only leaves the question: Can you trust the signature to really be authentic?

For Windows/macOS this is solved by code signing and the trust chains that transitively rely on root certificates of the OS.

And for Linux?

The binaries are signed by having the OpenSSL SHA256 digest appended to the file (the last 256 bytes). The corresponding public key is this:

-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA1Oq/zre0HLevxfYLzoUj
mS1qL1Qemc6HoIqP9JmyGdk5uaiFtSSKOaWhFCVnzwiYe+BA4YXL1NIGI8mxMEek
V+HksO2rbOiAlvV35tPwWwgLNTMfE0QLnzGILS0T0yHM1My60r9Ca89CvprYdrAy
QWpV8ao1xV4OuWveAD8xxxtZlGtmOPREeWaH6UCgnoX6SJPXK/0uv0t2o+d9V/mC
xnr5XxLU8mrw4RiDn2SQoSEDzopXtO79SUo/PYxZvRewHEIT940JLMud1fkDMZ29
bkhkFrYNW1wAwZKBc5L1oeiuF8T/d9b5vIKiaZNlFTQTQ8pEMMdnR4+tze5SbqZz
0wIBEQ==
-----END PUBLIC KEY-----


[daviank]

I was mainly interested in source file being signed actually.

[xtradeb]

+1
It would be nice to have the source signed.