Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document PGP release signature usage on getsession.org/download #3078

Closed
1 task done
maltfield opened this issue Apr 13, 2024 · 6 comments
Closed
1 task done

Document PGP release signature usage on getsession.org/download #3078

maltfield opened this issue Apr 13, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@maltfield
Copy link

maltfield commented Apr 13, 2024
edited
Loading

Is there an existing request for feature?

  • I have searched the existing issues

What feature would you like?

Document how to cryptographically verify downloads on the getsession.org download page

Expected behaviour

When I go to download the Session desktop client, I should also see instructions on how to verify the authenticity of the file after download and before install. Or, at least, a link to the document that describes this.

Actual behaviour

I see no mention about cryptographic authenticity verification on the download page

Steps to reproduce

  1. Go to https://getsession.org/download
  2. Click "Linux" (or whatever platform I'm on)
  3. See the AppImage is downloading
  4. Look around on page for the word "verify" or "PGP" or "GPG" or "signature"
  5. ???
  6. Get confused and open ticket

Anything else?

No response
@maltfield maltfield added the enhancement New feature or request label Apr 13, 2024
@maltfield
Copy link
Author

Note: This is not a support request asking for information on how to verify release signatures.

The only resolution to this ticket is by updating the getsession.org download page with the information (or a link-to the information) that documents how users can verify release signatures.

@maltfield maltfield changed the title Document PGP release signature usage Document PGP release signature usage on getsession.org/download Apr 13, 2024
@maltfield
Copy link
Author

Here are some examples of "verifying this release" project documentation from other projects

  1. https://www.apache.org/info/verification.html#CheckingSignatures
  2. https://docs.featherwallet.org/guides/linux#verifying-the-download-optional
  3. https://support.torproject.org/tbb/how-to-verify-signature/
  4. https://ubuntu.com/tutorials/how-to-verify-ubuntu
  5. https://tails.net/install/expert/index.en.html#verify-key
  6. https://calyxos.org/install/verify/#additional-verification

@keybreak
Copy link

https://github.com/oxen-io/session-desktop?tab=readme-ov-file#verifying-signatures

@maltfield
Copy link
Author

maltfield commented Apr 13, 2024
edited
Loading

Yes, so one solution to this ticket would be to update https://getsession.org/download with text that says:

"to verify the authenticity of this release with PGP, please see Verifying Signatures"

@yougotwill
Copy link
Collaborator

@maltfield Thanks for this comprehensive write up. Sorry to be a pain but would you mind moving this issue to the getsession.org repo https://github.com/oxen-io/session-website/issues

@maltfield maltfield mentioned this issue Apr 15, 2024
Open
1 task
@maltfield
Copy link
Author

maltfield commented Apr 15, 2024
edited
Loading

Ticket moved to oxen-io/session-website#36

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maltfield @yougotwill @keybreak