The forum

Feature request

Signing script variable and pubkey managment

Author Replies
sam666 Monday 1 September 2014 at 4:58
sam666Anonymous

Hi,

Everytime i want to add a new POL script, i have to read the source code (for security reasons).

Why ? Cause someone can MITM me or compromise the file server and replace binary with backdoored one.

So please, could you plan to introduce the following security feature:

- Add the signing content of all files (signed scripts + signed software binary) downloaded from POL website and/or use https on your file server (iirc : files.playonlinux.com). 

Here one of the way to introduce signing feature :

- Each contributor having access to the files server generate pair of pub/priv.

- Add main pubkeys in default playonlinux install

- Provide a file in each install of POL programs (as separated or included in the end of POL script)

- Add a pub key viewer inside the software to list referenced pubkeys (that can be stored in a directory), and offer the possibility to add/remove any pub keys from the windows. This can be a simple "List" widget with add/remove button.

- Each times POL launch a script to install a game, it will check the signature of files, If files are not downloaded from POL website, it will enumerate them.

What do you think ?  

Thanks you guys for your time and consideration. And really, you are doing a great works on this project.

S

sam666 Monday 1 September 2014 at 5:00
sam666Anonymous

- Provide a file in each install of POL programs (as separated or included in the end of POL script)

I mean "provide a file containing all signed values to be checked by POL with the pubkey stored"

Quentin PÂRIS Monday 1 September 2014 at 11:02
Quentin PÂRISAnonymous

This is actually the current mechanism. If POL gives the source code of a script before running it, it means that the signature check failed.

This site allows content generated by members, and we promptly remove any content that infringes copyright according to our Terms of Service. To report copyright infringement, please send a notice to dmca-notice@playonlinux.com