[bisq-network/bisq] Execution of unverified file is required to verify installation file on Windows (#3083)

Dave Scotese notifications at github.com
Tue Aug 13 23:54:59 UTC 2019

On the download page, there is a list of items seemingly to be downloaded.  One of them is "PGP Signatures" which suggests that computing the checksum of a downloaded file will produce output that can be found in a file available by choosing the "PGP Signatures" option (assuming that the signer's PGP key - also available in the download list - has already been imported).

Using the "PGP Signatures" item in that list of seemingly downloadable items does NOT download a file containing checksums and a signature, but rather, it sends the user to the page at https://github.com/bisq-network/bisq/releases/tag/v1.1.5, which would be okay if that page had the checksums (and a signature of them - or the signer's signature of the downloadable files), but it doesn't.

Under "Verification" it says `gpg --digest-algo SHA256 --verify BINARY{.asc*,}` will do the verification (assuming you "Replace BINARY with the file you downloaded (e.g. Bisq-1.1.5.dmg)" but this only works if you have also downloaded the appropriate .asc file.

It seems like maybe the idea is that after you run the Windows .exe file, you will have that .asc file, or perhaps you'll have the `the Bisq-1.1.5.jar.txt file` that has the output that should match what `shasum -a256 [PATH TO BISQ APP]/Bisq.app/Contents/Java/Bisq-1.1.5.jar` returns.  But, as I said, we don't have the jar file or the .txt file yet, and they don't appear to be available from the downloads page.

If we __do not__ need to run the .exe to get these files, then how we should get them should be explained under the Verification section.  If we do need to run it, then the security model is broken because we need to run an as-yet-unverified program.

I'm sure there is something I am missing, but I report this as _at least_ a documentation bug, if not a serious security issue.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190813/57fe6602/attachment.html>

More information about the bisq-github mailing list