Show SHA values of downloads. about www HOT 4 CLOSED

To keep this thread updated: We're now happily in the Windows Store.

No further immediate improvements are planned from my end. I would like to adopt sigstore at some point, but let's first let others squash the bugs there.

from www.

I'm somewhat 👎 on hashes/PGP - IMO there's not much of a practical security benefit (PGP lacks adoption/UX, hashes can be swapped out). Here's what we're at currently:

1. macOS: Main recommendation is brew install, which is very nice for us because we don't have to do or worry about anything. Signing the standalone binaries would be nice to have, but then again that's not the recommended install method.
2. Linux: We have (unsigned) binaries. I'm not quite sure how we can improve this, except by adding a signature that the majority of users won't check.
3. Windows: Unsigned installer/binaries. This is where I think we can improve most. Classic code signing would be one option, but maybe we should just try to finally get mitmproxy into the Windows store instead? This would also provide auto-updates, which would be fantastic.

from www.

I think it's always a matter of "do I trust the signer to be responsible with the signing key"? :)
As sysadmin I've used strict SRPs in Windows that require every binary to be signed with Authenticode from specific vendors, and if one can trust the vendors (and Windows ;) it's very effective to keep the average user safe. (Although I admit those are not mitmproxy's target audience.)

You're right about PGP on Linux, though, not many actually go the extra mile and verify the file containing the hashes. But as far as hashes themselves are concerned, personally I think it's very nice to know that one's downloaded file isn't corrupted. (Then again, I also run debsums periodically, so maybe it's just bit rot paranoia :)

If we opt to build an appx/msix (for the Windows Store or App Installer), we will have to sign anyways. The user also gets the benefit of "permanent" hash checks, thanks to the package's block map getting installed alongside the files.
(Using MSIX and App Installer, we can also provide auto-updates without going through Windows Store btw.)
I'd be happy to look into that, if that's the desired way to go...

from www.

(Using MSIX and App Installer, we can also provide auto-updates without going through Windows Store btw.)

Yes, but we don't want to build any phone-home functionality into mitmproxy (that sadly includes update checks). If the OS is doing that with servers it is talking to anyways, we're fine though.

I'd be happy to look into that, if that's the desired way to go...

Defaulting to the Windows Store would be fantastic IMO. My understanding is that this would then also be signed by Microsoft somehow? At least that's how I remember it. I did try to get us into the Windows store very early on, but that then got stalled for various reasons.
https://github.com/mitmproxy/mitmproxy/tree/main/release/windows-store-experiment

😅

It looks like I cannot easily give you access to manage the store listing, but I'd be happy to collaborate on this in person. :)

from www.