Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Publish code signing keys and signatures for Linux

See original GitHub issue

Carried over from https://github.com/brave/browser-laptop/issues/197

We should publish our code signing keys and signatures so that anyone can independently verify them. See https://www.torproject.org/docs/verifying-signatures.html.en for an example of a project that does this.

I also think it’s a good idea to sign git tags.

Our current status (browser-laptop):

we publish the Linux signing keys(used for .deb/.rpm packages)
many of us sign commits our already (which is reflected on GitHub)

On browser-laptop, end users can check the signature on the installer / binaries:

macOS can verify by running spctl --assess --verbose /Applications/Brave.app/. If app is signed, it should return something like this:
```
/Applications/Brave.app/: accepted
source=Developer ID
```
Windows Authenticode signature can be checked by right clicking the installer and choosing properties. Once open, go to the Digital Signatures tab and double click on the signature. Make sure it says The digital signature is OK

Issue Analytics

State:
Created 5 years ago
Reactions:4
Comments:7 (6 by maintainers)

Top GitHub Comments

3reactions

bscliftoncommented, Feb 6, 2019

@cg505 that’s a good request - I created an issue to track that here (in case you wanted to subscribe): https://github.com/brave/brave-browser/issues/3243

0reactions

cg505commented, Feb 4, 2019

Is there any plan to sign git tags?