Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document signature verification on download page #27396

Closed
maltfield opened this issue Apr 25, 2024 · 4 comments
Closed

Document signature verification on download page #27396

maltfield opened this issue Apr 25, 2024 · 4 comments
Labels
T-Defect T-Feature Request to add a new feature which does not exist right now

Comments

@maltfield
Copy link

Steps to reproduce

Steps to Reproduce

  1. Go to element download page https://element.io/download
  2. Click to download a desktop app (eg the Mac button)
  3. Scroll up & down the page looking for information on how to verify the release
  4. ???
  5. Get confused and open ticket

Outcome

What did you expect?

I expected the download page to tell me (or link me to the relevant documentation page that does tell me) how to verify the authenticity of the release cryptographically (eg with gpg) after the download completes

What happened instead?

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Operating system

All

Application version

All

How did you install the app?

https://element.io/download

Homeserver

irrelevant

Will you send logs?

No
@dosubot dosubot bot added the T-Feature Request to add a new feature which does not exist right now label Apr 25, 2024
@maltfield
Copy link
Author

maltfield commented Apr 25, 2024
edited
Loading

I've read that there's some signing of releases happening already, so (possibly) the only thing required is to fix the documentation telling users on all desktop platforms how they can verify their releases after downloading them

For some examples of "verifying this release" in other project's documentation, see:

  1. https://www.apache.org/info/verification.html#CheckingSignatures
  2. https://docs.featherwallet.org/guides/linux#verifying-the-download-optional
  3. https://support.torproject.org/tbb/how-to-verify-signature/
  4. https://ubuntu.com/tutorials/how-to-verify-ubuntu
  5. https://tails.net/install/expert/index.en.html#verify-key
  6. https://calyxos.org/install/verify/#additional-verification

Again, something like one of the above links should either be added directly to the downloads page or it should be clearly linked-to in the downloads page.

@t3chguy
Copy link
Member

t3chguy commented Apr 25, 2024

I've read that there's some signing of releases happening already

Yes, the app is both signed and notarised otherwise macOS would make it very difficult for you to run.

Issues for the element.io website live at https://github.com/element-hq/element.io - I don't have the ability to move it. I suggest you re-open the issue there.

@t3chguy t3chguy closed this as not planned Won't fix, can't repro, duplicate, stale Apr 25, 2024
@maltfield
Copy link
Author

maltfield commented Apr 25, 2024
edited
Loading

I'll open a ticket there, thanks.

@t3chguy In the meantime, can you please link to where I can download the PGP cryptographic signature file on releases for MacOS, Linux, and Windows?

@maltfield maltfield mentioned this issue Apr 25, 2024
Open
@maltfield
Copy link
Author

Ticket moved to:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T-Defect T-Feature Request to add a new feature which does not exist right now
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t3chguy @maltfield