Allow the users to verify the downloads for desktop

MoneroBrah · March 2, 2024, 12:38pm

Please add sha256hash’es and a gpg signature for the downloads for desktop. So that the users can verify the integrity of the binaries they use.

r10s · March 4, 2024, 6:44am

For Android, we published the SHA256 fingerprint of the used signing signature at Verify Downloads - Delta Chat (reachable on get.delta.chat)

That way, we can avoid updating the page on every releases and dealing with long lists of releases.

Maybe sth. similar is doable and sufficient for desktop as well? Might be much more complicated because of the different distributions, however.

bencan · March 17, 2024, 12:16am

In the following forum thread from 2021 Jikstra says it should probably be easy to get the release script to upload a checksum.txt with checksums of all the uploaded files:

And then to simply sign the checksum.txt and upload the signature shouldn’t be hard I would think (but there could be difficulties involved which I don’t understand).

Compared to all the work writing and testing the Delta Chat code, I imagine that signing a checksum.txt file would be pretty quick and straight forward, and it would give many users more confidence that they downloaded the right code.

hagi · March 18, 2024, 12:11pm

I’m currently exploring providing repositories (like PPA) for our Linux releases, they would then provide checksums too.

Will come back to this thread as soon as there is something to share

bencan · June 12, 2025, 10:19pm

I saw that the latest desktop releases now include signatures, which is great news! It’s great that signatures are finally being added for the desktop builds! However, it is not clear where the signing certificate can be found. Where can it be downloaded? And which developers are responsible for the signing certificate?

The information page here has not yet been updated to include the relevant information for verifying desktop builds and the FAQ doesn’t mention it at all.

Simon · June 15, 2025, 4:22pm

we are currently testing it, it will be posted once it is ready. currently we plan to upload the certificate/public-key on the site and on some openpgp key servers (to proof the connection over an email address).
Do you have more ideas where else we could post the certificate?

This is the certificate for the current test release.
deltachat_certificate.asc.txt (636 Bytes)

bencan · June 15, 2025, 10:27pm

The Delta Chat website and openpgp key servers would indeed be the most obvious places to upload the certificate. Some pgp key servers verify the email address but I don’t think all of them do. You could also post the fingerprint in your social media bio.