Please review the draft for May's report
Daniel Shahaf
d.s at daniel.shahaf.name
Wed Jun 10 14:10:45 UTC 2020
Bernhard M. Wiedemann wrote on Tue, 09 Jun 2020 12:31 +0200:
> Am 08.06.20 um 07:52 schrieb Daniel Shahaf:
> > Besides, there was no question, no concrete request, no clickable
> > URL…
>
> https://walletscrutiny.com/ was mentioned, though.
So was the word "clickable". People are less likely to open URLs that
aren't clickable.
> How would the app-update workflow work in a perfect world, where we do
> not have to trust the app builder?
>
> Maybe like this:
> 1. developer pushes a signed git tag to the official repo
>
> 2. multiple independent builders build binaries and sign some
> "buildinfo" about source+binary hashes, publish it to some
> buildinfo-collection place.
>
> 3. after N trusted rebuilders agreed on what the correct binary should
> be, the app-store (e.g. F-Droid) publishes the binary for all users
>
> 3b. in theory, this could use anonymous uploads, where anyone can
> upload a binary to server.domain.tld/public/HASH as long as the HASH
> of the upload is the correct one.
>
Accepting anonymous uploads increases the attack surface (e.g., if
someone has a second preimage attack against the hash). I'd recommend
to at least have the upload signed by a non-Web-of-Trust key and use key
pinning to verify future uploads.
> 4. F-Droid client pulls new app version and signed buildinfo files and
> checks if F-Droid server did the right thing
Cheers,
Daniel
More information about the rb-general
mailing list