Request/Suggestion: Alternate sources for SHA, etc signatures (as user friendly as possible)

[adfdsfGYYy53 3]

The thought occurs to me tha if one validates their download from the same webpage that they got the download, the value of a signature is greatly decreased.

For example, if an attacker were to have the ability to do (whatever it took) to get the user to download a version of Eddie with a backdoor in it, then it seems that it would be trivial for that same attacker to modify the SHA, MD5, etc signatures in order to get around the very safeguards that verifying a download are meant to provide.
While no single alternate channel for publishing signatures, by itself, could be trusted, a collection of multiple "Verified" social media accounts, for example, taken together, can provide a reasonable amount of assurance to the user that the signatures are valid .

A verified" twitter account, instagram (if they have verification) account, a publicly visible facebook group page with a large number of members and/or "high profile" "verified" members as admins would provide similar functionality to "the web of trust" is (AFAICT) intended to provide (with regards to giving people more trust in attestations of authenticity) but would be a lot more user friendly, and would therefore gain a lot more use, and therefore be a lot more trustworthy than the "web of trust"

[OpenSourcerer 1359]

The use case of a checksum is not in verifying whether your download is authentic/trustworthy/"secure" but to rule out integrity errors appearing when storing or transmitting the checksummed file(s). If you want verification whether the file provided comes from AirVPN, all OSes do that already, probably without you noticing it. And it's done very "user-friendly":

• Windows supports signing installation packages. You might remember those dialog windows where Windows asks "Do you want to install this program? Name: MyProgram, Developer: MyCompany, LLC., Source: xyz" – this is a message already indicating a successful verification, otherwise SmartScreen would block it or display "cannot be verified" or similar.
• Same on macOS, I believe. Installation packages must be notarized for a smooth installation process.
• (On iOS, things are even more locked in: All apps you see in the store are approved by Apple. And still iOS checks if developers' keys are the same for a given app.)
• On Linux, most package managers are checking package signatures using GPG keys.
• Android has been accepting signed APKs only since I think Android 2.2 or something, and it upgrades a given app only if the new version of that app is signed with the same key.

2 hours ago, adfdsfGYYy53 said:

if an attacker were to have the ability to do (whatever it took) to get the user to download a version of Eddie with a backdoor in it, then it seems that it would be trivial for that same attacker to modify the SHA, MD5, etc signatures in order to get around the very safeguards that verifying a download are meant to provide.

And it is trivial – provided the attacker successfully tricks the user to connect to a confusably similar looking but totally different eddiie.website with two ii instead of eddie.website with one i, for example. This is a tactic I'd apply to get you to install my malware.

Actually breaking into any part of the AirVPN server infrastructure and modify all that info while making sure this modification stays unnoticed for as long as possible is very far from trivial. It's not impossible but there are much easier ways, like the one above.

[iwih2gk 92]

One point where you can eliminate your concerns would be to add the AirVpn signing key.  Then using apt-get to always do your updates (even automatically by the way) your updates MUST match the needed signature to be used.  Nobody can replicate that process unless they have the private key and the password to it.  Its the way to go.  Easy and most secure way to do it.  I like easy and fast, but combine that with fully secure and its a keeper!

[Stalinium 43]

If you cannot verify using signatures (like GPG; preferred!), you can use two external sources for a verification that the published hash sums have remained the same or are the same as the ones you see:

• archive.org offers a historical lookup for the page
• search engine caches offer you a second perspective of the page

[adfdsfGYYy53 3]

On 4/7/2021 at 6:33 AM, Stalinium said:

If you cannot verify using signatures (like GPG; preferred!), you can use two external sources for a verification that the published hash sums have remained the same or are the same as the ones you see:

• archive.org offers a historical lookup for the page
• search engine caches offer you a second perspective of the page

This is exactly the kind of thing I was looking for.
Thank you.

[adfdsfGYYy53 3]

On 3/30/2021 at 6:39 PM, iwih2gk said:

One point where you can eliminate your concerns would be to add the AirVpn signing key.  Then using apt-get to always do your updates (even automatically by the way) your updates MUST match the needed signature to be used.  Nobody can replicate that process unless they have the private key and the password to it.  Its the way to go.  Easy and most secure way to do it.  I like easy and fast, but combine that with fully secure and its a keeper!

thanks.

Is the method suggested below by Stalinium a good way to verify that the AirVPN signing key itself is legitimate?