1

I have a binary file and saved it on github release page. https://github.com/zono/bolt8/releases

To allow users to verify it, I saved sha256sum and signature(.asc).

However I have a concern that if my github account is hacked somehow, the sha256sum, the signature and my keybase.io account link (https://keybase.io/zono) could be replaced. As a result of that, users can't notice the fake binary.

Are there any solutions about that? What kind of ways are used in OSS projects.

* sign and sha256sum (on mac)

$ gpg -ba bolt8-node10-macos-x64
$ shasum -a 256 bolt8-node10-macos-x64
// save .asc and the checksum into github

* verify (on linux)

$ sha256sum bolt8-node10-macos-x64
$ curl https://keybase.io/zono/pgp_keys.asc | gpg --import
$ gpg --verify bolt8-node10-macos-x64.asc bolt8-node10-macos-x64
gpg: Signature made Mon 17 Jun 2019 09:59:55 PM JST using RSA key ID 6530E807
gpg: Good signature from "xxxxx"
zono
  • 185
  • 8
  • So in your threat model, you assume that an attacker gains access to both your GitHub and your Keybase account without you noticing? –  Jun 18 '19 at 04:47
  • Hi. Only stealing my github account without noticing. I don’t consider about keybase in this question. My keybase link is on my top of github account. I think users refer to that. The hacker can change the link. – zono Jun 18 '19 at 04:52
  • A hacker that would create their own Keybase account would need to create a new proof-of-ownership, which includes the timestamp. As such, it would at least be detectible that it changed recently. –  Jun 18 '19 at 04:58
  • I'm on mobile, so I can't write a fully fledged answer, but in general I would not worry, if you use a strong passphrase with a password manager and some second factor to authenticate. And most users don't bother verifying checksums or GPG keys. They just assume that the binary they downloaded is trustworthy. –  Jun 18 '19 at 05:00
  • Thanks for your answer. I understand how important detecting the hack is. I’ll check again GitHub’ security settings. – zono Jun 18 '19 at 05:24

0 Answers0