On Fri, 21 Apr 2023 19:32:07 +0100 J05HYYY via Replicant wrote: > But for 'casual use', I see little point in signing the images.
I am not familiar with Replicant's signing process and signature usage afterwards, so I will just share my thoughts about that. What I know about signing in general (e.g. in the context of email messages) it does 2 things: 1. It is a proof of origin 2. It is a proof of integrity A checksum can proof only integrity. Additionally, malware's checksum can still be correct. Signed malware is still possible but should be much more difficult to achieve because an attacker would either need to get access to the primary key or use an exploit in the cryptographic process. I understand your goal is anonymity. However, if signatures for Replicant work like signatures for documents, then not having a signature makes your final result prone to undetectable changes. If signatures are used only for distrubution, then one signature file along with the whole image is enough. What I notice though is that the build script signs many files. To my mind, this means those separate signatures are meant to be verified later (e.g. while the OS is running) which may be a mechanism for making sure the system runs only software it trusts and that software has not been modified (e.g. by malware). Along these lines, if Replicant's official build which one downloads from the website has all those multiple signatures and one modifies part of the software (e.g. builds a boot.img) which either have different signatures or (as you suggest) have no signatures at all, it is possible that "the checker" part of Replicant OS may detect that and stop working properly because the integrity will be broken. That's why I wonder if building just the boot.img may result in such situation (especially considering that I will be modifying selinux - a critical part of the security system). So, if I am right in my speculations above, not having those build time signatures (for the sake of anonymity) reduces the security of the final product, regardless if it is just for personal use or for distribution. Then it is better to fill in some non-personally identifying info when creating the signature, rather than not have a signature at all. Again - this is my speculation which I cannot proof because I am not an expert. I still hope someone who is versed in the process in the context of Replicant building to clarify all this. _______________________________________________ Replicant mailing list Replicant@osuosl.org https://lists.osuosl.org/mailman/listinfo/replicant
