GPG signature for server package?

Hi there,

When Seafile was hosted on Bintray, it was easy to obtain a GPG signature (.asc file) to verify the package. Now that Seafile is hosted internally, where can we get the GPG signatures?

Thanks.

2 Likes

+1(1111)

For what? What is host system for server? I don’t know Bintray then I don’t know how you want verify the package. Have 4 running seafile server and didn’t needed to do that. So please provide better explain.

@holantomas This is a security question. A package can have a GPG signature file generated which proves that the file was not tampered with, and also that the file was generated by Seafile themselves (and not a malicious entity posing as Seafile).

Yes, but what Is server OS?

@holantomas Linux.

https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/

I don’t think you understand what I mean. I am requesting that Seafile provide a signature file for the package. You cannot verify a package without a signature file being provided.

Oh sorry, now a Get your question (I will stop reading questions by morning) :smiley:

if you look here https://download.seadrive.org/ there is XML Feed with all files. You can look at file you download and there is ETag element. This is MD5 sum of file sou you can check it.

1 Like

Thanks for the link @holantomas. An MD5 sum is good for verifying integrity, but it does not tell us if the package was altered or crafted by a malicious entity (as they would need Seafile’s private key to do this).

It was not signed with Seafiles key before, but a generic one from bintray. If anyone else would have uploaded something it would also have had a valid signature automatically.

2 Likes

From my point of view a sha256 checksum would be useful to reliably check the files integrity.

To have a significant improvement using GPG - which most users cannot use anyway (as it’s too complicated) - it would require Seafile Ltd. to create a private key and to keep it private, which is harder than one could think in the first place. So I don’t think it’s worth the time keeping in mind that most users won’t verify a GPG signature anyway.

Nah… come on. People learned how to set up a Seafile server and in same way they will learn how to verify signatures. :wink:

No he said that, if they invest their time to get GPG working(every update), then only small % of users will use it …

Right, maybe I misunterstood his point. Anyway: in same way I could say “people have no interest in using a private cloud because there is Dropbox/Google Drive/OneDrive”.

Offering signatures is a part of a serious software distribution process in my opinion. So even if only 1% of all Seafile server users would use it it would be worth to offer it.

2 Likes

+1 totally agree!