Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
1.7
-
None
-
None
Description
Hi,
when downloading apollo from the download network, the connection is not trusted and can easily spoofed. Therefore, apollo comes with a pgp signature.
However, this signature is completely useless for two reasons:
1) The key is named
Hiram Chirino <hiram@hiramchirino.com>
who is that? Is he a developer or simply a random name chosen by the attacker? How should one know whether he is authorized to release code?
2) The key is not signed by anyone else and there is no fingerprint on any webpage, absolutely no way to verify authenticity.
So whoever is able to replace the software release with a modified version, could as well replace the signature file with one signed by the attacker himself, after generating a random key with a random name, either Hiram Chirino, Donald Duck, or Batman.
So providing the gpg signature is absolutely pointless and does not raise security at all. But it raises the question whether the security of apollo itself could be any better then.
regards