Make the Nitrokey app more secure (sig binary, provide checksums+GPG)

[beerisgood]

The apps from https://www.nitrokey.com/download goes over HTTPS- which is good! but:
We can't verify the apps (i only check Windows).

The exe isn't signed- it even give me the window and ask if i realy want to start this app because it comes from another pc. Not realy secure!
And not only this. We can't verify the file is realy from you, because of no checksums (please add SHA512!) and GPG file.

Please fix this

[beerisgood]

Push

See also #136

[szszszsz]

Hi! This is on our to-do list and will be done as soon as possible. Please feel free to 'bump/push' in case this would appear forgotten.

[davesteele]

In addition, a signature of the source tar file would be automatically checked by the deb update process.

[sedrubal]

And it would be nice if you'd sign your commits: https://mikegerwitz.com/papers/git-horror-story

[beerisgood]

push

[beerisgood]

Cmon guys, this issue is now 6 months old without any change.
I think Nitrokey stands for security? if i see this, then i dont think so.

[sedrubal]

Thanks @szszszsz for signing (at least most of) your commits now 😉 👍

[beerisgood]

another month...
bump

[beerisgood]

I see you pin that to milestone 1.0
Hope you get that finish soon.

[beerisgood]

80% complete
Did you know how long it takes to finish it?

[szszszsz]

Hi!
A signed binary for Nitrokey App v1.0 is available at release page. There was reported an issue though regarding device detection on some Windows boxes. A fix will be released today for this.
Regarding your first comment, @beerisgood, the Windows Smart Screen will still show up until binary will get enough 'reputation' in cloud. However this time on the screen instead of Unknown publisher the Nitrokey should show up. In binaries properties (in separate tab) one can check signing status - I have tested it will be invalid on file modification. Would you like to have sha512 signed by GPG nevertheless?

[szszszsz]

@sedrubal The other unsigned commits from that time came from using automatic merging offered by Github. I have changed the workflow with merging the changes locally, thus no unsigned commits should be present from my side.

[szszszsz]

@davesteele I am not sure I understand when GPG signature will be validated, but I hope to investigate this further. Do you have more materials explaining this?

[davesteele]

Debian packaging includes a 'watch' file, which provides a set of rules for finding and parsing upstream source tars. The uscan(1) utility parses that file to download the source tar, or to determine the most recent version.

uscan/watch can support finding and verifying a signature during the download process. For a project on GitHub, the easiest way for you to support this is to add the signature file to the set of files in a 'release'. It helps if the path to the signature is <tgz url>.asc.

Here is a succinct summary.

[beerisgood]

@szszszsz to valid a GPG you need other guys which validate it, upload that with their own key to the server and then you will see that under your key.
I validate your GPG sig with my own GPG sig:
Key ID: 97F9E213620F071D

I also miss a nitrokey-app-v1.1.exe.asc GPG file to verify the binary, as well as checksums for the binary

[szszszsz]

@beerisgood Indeed! Thank you for signing the key. Should not you sent it to me for import and publish though?

As for .asc and checksums - these seems redundant in the presence of the code-signing certificate, but in case someone wants to validate using other tools I have uploaded them too into release files.

[szszszsz]

@davesteele I will move that to separate issue for easier tracking.

[szszszsz]

Initial issue fixed, closing.

[beerisgood]

@szszszsz: Why should i upload my key? I upload it to the GPG server
Anyone can download the public key