This is a ticket to request iodéOS to sign releases cryptographically. Please copy and paste this into GitLab, since it’s not possible for users to create bug reports or feature requests with the iodéOS project.

Description

Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from gitlab.iode.tech because the releases are not cryptographically signed.

This makes it hard for iodéOS customers to safely obtain the iodéOS software.

Steps to Reproduce

1. Go to the iodéOS website iode[.]tech
2. Click “iodéOS” in the navigation bar iode[.]tech/iodeos/
3. Click “Install iodéOS for free” iode[.]tech/installation/
4. Click “alternative way of installing iodéOS here” gitlab.iode[.]tech/ota/ota
5. Click on your device (eg Pixel 8) gitlab.iode[.]tech/ota/release/-/tree/master/shiba
6. Look for the release signature
7. ???

Expected behavior: [What you expected to happen]

A few things are expected:

1. I should be able to download the iodéOS release-signing PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release (or, better, the releases’ digest file, such as a SHA256SUMS.asc file) along with the release itself
3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior: [What actually happened]

There’s just literally no information on verifying downloads, and it appears that it is not possible to do so.

Note: I had to break a lot of the links in the post above, because error:

new users can only put 4 links in a post

Note that providing a hash in-band provides no security (just integrity from corruption).

For security (to verify the authenticity of a given release), we’d need a pinned, iode-specific release-signing PGP key and cryptographic signatures of release (or signatures of the release digest file)

For reference, here’s how release signatures was implemented by other privacy-focused Android ROMs

1. Graphene OS
2. CalyxOS

If you need more historic examples where an open-source project had their publishing infrastructure breached and introduced a vector (sometimes successful) for Supply Chain Attacks against their users (which can be detected by proper release signing), see this list (specifically taking note where the Type of compromise = Publishing Infrastructure):

• tag-security/community/catalog/compromises at main · cncf/tag-security · GitHub

Worthy projects of note who were victim to this sort of attack (which could be detected by release signing):

1. Linux Mint
2. Monero
3. Canonical (Ubuntu)
4. Gentoo
5. Handbrake
6. etc

Though you could use non-standard cryptographic signatures (like OpenSSH or minisign), I would strongly encourage using gpg, as it’s the industry standard with the most adoption and mature PKI.

For best-practices, see also:

1. Signing Releases - Apache Infrastructure Website
2. Signing System — OpenDev System Documentation documentation
3. Subkeys - Debian Wiki
4. OpenPGP Best Practices - riseup.net

Thanks for the request, I added it to our issue tracker

This has been completed, and our installation documentation has been updated on how to verify the signature of the downloads with our public key.

Thanks again for the request.

@rik thanks for you work on this. Unfortunately, I’m afraid this has not yet been completed.

[quote=“maltfield, post:1, topic:6707”]

Expected behavior: [What you expected to happen]

A few things are expected:

1. I should be able to download the iodéOS release-signing PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release (or, better, the releases’ digest file, such as a `SHA256SUMS.asc` file) along with the release itself
3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

[/quote]

Specifically #3 is not fixed.

Steps to Reproduce

1. Type ‘iode.tech’ into web browser and press enter http://iode.tech/
2. Click Try IodeOS button Installation - iodé
3. Click Download iodéOS installer for Linux button
4. Look around for release signature
5. ???
6. Look around for link to information about verifying what I just downloaded
7. ???
8. User gives-up, cancels download, and goes to download a different ROM

Solution

To complete this issue, we need to either:

1. provide verification instructions directly on the download page, or
2. add a section about “verifying” directly on the download page, which simply has a hyperlink to the documentation that describes how to verify downloads

I have re-opened the issue and added the comment about needing to add a link to the installation documentation from the downloads page and the “how to flash” section of the OTA page where instructions are given for manual installation.