Skip to content

Request: Please cryptographically sign all releases (PGP)

Description

Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from gitlab.iode.tech because the releases are not cryptographically signed.

This makes it hard for iodéOS customers to safely obtain the iodéOS software.

Steps to Reproduce

  1. Go to the iodéOS website iode[.]tech
  2. Click “iodéOS” in the navigation bar iode[.]tech/iodeos/
  3. Click “Install iodéOS for free” iode[.]tech/installation/
  4. Click “alternative way of installing iodéOS here” gitlab.iode[.]tech/ota/ota
  5. Click on your device (eg Pixel 8) gitlab.iode[.]tech/ota/release/-/tree/master/shiba
  6. Look for the release signature
  7. ???

Expected behavior: [What you expected to happen]

A few things are expected:

  1. I should be able to download the iodéOS release-signing PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
  2. I should be able to download a cryptographic signature of the release (or, better, the releases’ digest file, such as a SHA256SUMS.asc file) along with the release itself
  3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior: [What actually happened]

There’s just literally no information on verifying downloads, and it appears that it is not possible to do so.

Forum thread: https://community.iode.tech/t/request-please-cryptographically-sign-all-releases-pgp/6707