- Requesting downloads to be provided over an HTTPS connection to prevent MiTM attacks while downloading everdo.
- Requesting downloads to be accompanied by a SHA256 sum to verify integrity.
- Requesting downloads to be cryptographically signed with a GPG signature to verify authenticity.
Those can be taken care of by a Debian (or ubuntu) repository.
Thanks for good suggestions!
This is easy. Should be done in no time.
Will take some time, but good idea.
Isn’t this redundant with the previous point, given that an authentic checksum appears on the official domain?
How do you make sure that the checksum is indeed authentic and someone hasn’t tampered with the official site?
GPG ensures that whatever checksum/file is on the site, came from you and nobody else (there are ways for a certificate collision to occur, but I’m more likely to grow a third thumb :p).
I see, I just assumed the site is trusted. I think the signature check is indeed best left to the package manager once we create distribution-specific repositories.
Is there any published GPG key or at least Hash for the current downloadable?