I checked on the Github, and looked around elsewhere. I can’t seem to find either the sha256sum, or the pgp key used to sign the release. Are those located anywhere?
Ok, so it’s signed by the generic Github signing key. Do you know where I can fine the asc file for that so I can verify what I downloaded is the same file?
Asked Github about this. They informed me the project maintainer typically signs their code releases with their key, and they do not have the asc file available for confirming I downloaded a legitimate file.
Seems like the releases are not pgp signed and sha256sum’s are not provided on the github release page: Releases · novasamatech/parity-signer · GitHub
The authors should add .signature files to the github releases
@Harveybirdman you can clone the repo can check if the authors has signed there commits:
git clone git@github.com:novasamatech/parity-signer.git
git log -n 1
commit 0c64197f5acedc7c93da3c59ae32d39fbd40be55 (HEAD -> master, origin/master, origin/HEAD)
Author: Dmitry Borodin <11879032+Dmitry-Borodin@users.noreply.github.com>
Date: Mon May 6 23:56:15 2024 -0500
chore: update code owners (#2389)
Co-authored-by: Krzysztof Rodak <krzysztof@parity.io>
git verify-commit -v 0c64197f5acedc7c93da3c59ae32d39fbd40be55
tree a5f1141d5f336766a9a2e69df61bb1ae62b6b8a1
parent c1c573ae46c2588e88fec0c304f35f9d8db57c33
author Dmitry Borodin <11879032+Dmitry-Borodin@users.noreply.github.com> 1715057775 -0500
committer GitHub <noreply@github.com> 1715057775 +0200
chore: update code owners (#2389)
gpg: Signature made Tue 07 May 2024 06:56:15 AM CEST
gpg: using RSA key B5690EEEBB952194
gpg: Can't check signature: No public key
Co-authored-by: Krzysztof Rodak <krzysztof@parity.io>
Yeah, I’ll be doing that. It would just be ideal if we had signatures to double check. Probably, only matters for extreme edge cases considering the wallet is meant to be air gapped. Something like someone stealing data from airgapped devices using electromagnetic waves, or if the code itself is compromised to redirect transactions.