Software Signature Verification Usability Issues and Proposed Solutions

From Whonix

(Redirected from Dev/SecureDownloader)


Quote Warning page, Always Verify Signatures:

For greater system security, it is strongly recommended to avoid installing unsigned software. Always make sure that signing keys and signatures are correct and/or use mechanisms that heavily simplify and automate this process, like apt-get upgrades. As a reminder, digital signatures are not a magic bullet. While they increase the certainty that no backdoor was introduced by a third party during transit, this does not mean the software is absolutely "backdoor-free". Learn more about this process and what digital signatures prove.

Surveys (example) have shown that very few users use software signature verification. Even fewer users have a sufficient understanding of the threat model. In case of an attack by an advanced adversary most users would get compromised. This is the very strong opinion of the author of this text. Usually the author of this text seldom raises strong opinions.

Required knowledge is far too much. Usability of tools used for manual verification of software signatures is such as GnuPG is far too bad. For an elaboration of these issues, see Conceptual Challenges in Software Digital Signatures Verification and Verifying Software Signatures.



Metalink are links which support additional metadata. Such as in theory links to signing keys, software signatures. Browser could implement support for metalink and automation of software verification.

Would require Metalink including OpenPGP support.

GSoC may be way to get this feature into Firefox.

Metalink would only be a gradual improvement. Download security is harder than just verification of software signatures. Rollback (downgrade), indefinite freeze attacks and other attacks would still be possible. See TUF Threat Model, TUF: Attacks and Weaknesses [archive] for further information.

OpenPGP Signed Website[edit]

OpenPGP Signed Websites and browsers verifying website signatures do not exist yet either.

Key Distribution[edit]

Even if browsers (such as Firefox, Chrome) and/or downloaders (such as wget, curl, aria2c) had support for metalink and OpenPGP verification there would still be no concept on how to distribute the signing keys. This is a hard problem. TLS has the same issue. The certificate authority (CA) system problem.

DANE [archive] (DNS-based Authentication of Named Entities) might be a way put the root anchor into the DNS but that's no perfect end-to-end authentication either.

Deprecated Ideas[edit]



Deprecated idea.

Stub downloader. Similar to the one that Mozilla is providing for Firefox downloads. A small tool that is used to download and install the real tool.

Securing downloads may be better when written as a general purpose tool (not specific to Whonix ™).

No other projects such as Firefox or Debian support this use case.

Open Questions[edit]

  • How to download and verify the host program in the first place?
    • Without being able to answer this question the thing becomes a circle and doesn't actually solve anything.
  • How to download the secure downloader itself in censored countries?
  • How to download files in censored countries?
  • Torify downloads?


Such a host program is host operating system specific, well you can write it in a cross platform language but still have to struggle with platform specific quirks.

The Tor Project never managed to get such a downloader up and running, see Thandy.


Not useful. Better to fix the root issue upstream.



text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Please help in testing new features and bug fixes in Whonix ™.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.