Don't be too afraid of governments tampering with your program, I mean this in the best possible way, but you are nobody important enough :) Governments issue subpoenas, arrest warrants, and issue court orders - that's much quicker and more effective than hacking. In the security space, we also refer to "rubber hose cryptanalysis" being very effective. What is it? You beat someone with a rubber hose until they give you the passwords.
The best you can do is give your users who care about the integrity of your program a way to validate it. Post the SHA256 checksum of each binary release, which would make it trivial for users to check if their executable is modified. Naturally, this won't catch post-load modifications. You can go a tiny step farther and obfuscate the checksum into your executable with some form of white box crypto. White box crypto makes is difficult, but not impossible, to extract a secret embedded in an application. It's really not possible to check integrity effectively without an external server. Even with an external server, your executable could be sabotaged. I wouldn't bother obfuscating, just strip your executable with the -s -w ldflags to the linker. It is very difficult for most people to glean any information from stripped programs. None of this, of course, will stop a motivated attacker. On Tue, Jul 23, 2019 at 3:09 PM clement auger <clementauger...@gmail.com> wrote: > thanks to everyone for sharing its thoughts about this question. > > it confirms what i read elsewhere. > > this app is to install on the end user computer, > and there is no central authority required to use its > service.Unlike the game Michael Jones is working on, > where somehow the user must to connect some server. > > The only reason i have to introduce a central authority, > or a network of peer validation (a way i have thought about to prevent a > simple MITM), > is for licensing concerns. > > Giving the control of the data to the end user is part of the value added > of the product, > so hosting it on a managed remote platform is not an option. > > I was hoping some sort of cross platform one-for-all solution. > Ideally, quick to setup (...). > Having to rely on package managers to install it is something i have to > research. > > A quick search reveals projects to implement automatic patching. > I did not think to search about this before today. > It does not look like fully automated yet, but they definitely follow the > path. > > Alternatively, an obfuscation tool exists here > https://github.com/unixpickle/gobfuscate > I ll give it a try but if anyone ever has tested it > i would very much appreciate a feedback. > > Is it still true that -w might break things when using the reflection > package ? > https://stackoverflow.com/a/20928030 > > On a broader and less personal perspective i also asked because i m > freaking out of all those governments > wanting to install backdoor everywhere and feel completely defenseless to > what they will implement soon. > Because they will do. > But this is not a programming topic so i will not expand. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/a513dbb4-d4d2-4169-b49c-5743e5ee8337%40googlegroups.com > <https://groups.google.com/d/msgid/golang-nuts/a513dbb4-d4d2-4169-b49c-5743e5ee8337%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CA%2Bv29LuRrM02nniYj6XvouZmAPvkH6-E-5o7R-Ywmv%2BP9UUWsw%40mail.gmail.com.
