GPG Sign the binary releases

[gitbugged]

There is currently no way to verify that the released binary packages are in fact released by the developer. One way to do this is to sign the packages with GNUPG/PGP. There is an automated script to do this for github users, here: https://github.com/NicoHood/gpgit

Doing so helps prevent MITM attacks/malware from spreading. Thank you.

Agreed. Please can you do this @PeterSurda ?

[PeterSurda]

Actually I do GPG sign the binary executables. There are at the moment no binary executables for 0.6.3, 0.6.3.1 and 0.6.3.2 so there is nothing to sign.

Since 0.6.2 I also obtained a code signing certificate that is recognised by both Windows and OSX. I haven't figured out how to sign OSX binaries though yet.

[gitbugged]

@PeterSurda thanks for signing! I was able to get the .asc files for the binaries for v0.6.3.2 from the releases page. I was kind of confused, because the website is currently still serving up the vulnerable version without the sig. I would have helped fix that issue myself but there appears to be no way to register on the wiki to change the links around.

https://www.bitmessage.org/wiki/Main_Page

[PeterSurda]

The bitmessage.org website links to 0.6.1, which isn't vulnerable. Maybe it should be bumped to 0.6.3.2 though. And the signatures are available on the github release page. The wiki registrations were disabled due to spam and noone had the time to fix it properly yet.

[PeterSurda]

I'm not sure if there is or was anything to do, maybe there was some confusion. If you don't want me to close this, please elaborate.

[gitbugged]

It can be closed, I would just recommend putting the signature on the wiki page as it's the first thing people see. Helps people find it easier.

Adjusted wiki code:

[[File:windows_icon.png|link=https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe]] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe Download for Windows (32bit)][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1.exe.asc (sig)] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1_64.exe (64bit)][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/Bitmessage-0.6.1_64.exe.asc (sig)]

[[File:apple_icon.png|link=https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg]] [https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg Download for OS X][https://github.com/Bitmessage/PyBitmessage/releases/download/v0.6.1/bitmessage-v0.6.1.dmg.asc (sig)]

[gitbugged]

Also if it's not too much to ask, the source (.tar.gz) file is unsigned. This would need to be signed as well for Arch Linux to include a sig check in the PKGBUILD.

[PeterSurda]

@Jeroentetje3 I'm having some mail issues on one server, peter@bitmessage.at is probably the best way to reach me.