Signing Status releases

digital-signatures

#1

I was just downloading the latest nightly when I realized I should be checking the file download against a signature from Status. I went to GitHub to see if maybe there were some in the releases page and I noticed Status doesn’t sign releases and stopped tagging releases in July for some reason. If this wasn’t intentional it would be nice to start it back up again.

It would be cool to introduce some signatures into the release process so users who don’t build the software themselves could check the authenticity and integrity of their app download.

Here’s an example of an incredible release page where all the different platforms’ downloads and all the signatures are bundled together on the same release page, not to mention the release notes are crazy thorough with links to absolutely everything.

It would be even cooler if each release hash and signature could be published to a contract and had to be signed by n of m core contributors to be considered “official” Status software.


#2

I think right not the biggest issue is the lack of deterministic builds, but it is on our roadmap. About releases in GitHub, I wasn’t even aware we did tag them… Maybe we should start doing that again.