padloc/docs/checksums/linux/README.md

# Checksums (Linux)

We use file checksums (SHA-256) to verify the source code you see matches the
code served by our app. These are instructions for you to verify that too, so
you don't have to trust us.

**NOTE:** These commands are meant for Linux and should also work on macOS. For
Windows systems, we suggest you run them via WSL2.

## Verify checksums against source code

Unfortunately, because we sign our Linux builds (both via Electron and Tauri),
it's not really possible to locally build the exact same file unless you had
access to our certificates and keys. You can still see how we build them here
([via Electron](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/publish-release.yml#L166)
and
[via Tauri](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/publish-release.yml#L116)),
and see how to build unsigned ones yourself
([via Electron](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/build-electron.yml)
and
[via Tauri](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/build-tauri.yml))
, though.

## Verify what you're using has the same source code

1. Download the Electron or Tauri AppImage or deb file.

    You can do that from
    [our releases page](https://github.com/padloc/padloc/releases) or from the
    store you've downloaded it from, to make sure that wasn't tampered with in
    the process of uploading there.

2. Download the latest `sha256sum-[tauri/electron]-[appimage/deb].txt` checksum
   file:

    **NOTE**: Pick one of the options above, from `tauri` or `electron`, and
    from `appimage` or `deb`, depending on what's available for that platform.
    You can see what's available in the releases page. For the examples below,
    we'll use `tauri` and `appimage`.

    ```bash
    wget https://github.com/padloc/padloc/releases/latest/download/sha256sum-tauri-appimage.txt
    ```

3. Verify checksum matches:

    ```bash
    sha256sum -c sha256sum-tauri-appimage.txt
    ```

    You should see the `.AppImage` filename with an `OK` next to it for matching
    checksums. You'll get a warning at the end of the script if something didn't
    match.

    > **NOTE:** If there's a warning about failing to find a file, your
    > `.AppImage` file probably doesn't match what
    > `sha256sum-tauri-appimage.txt` expects, so you can change your `.AppImage`
    > file's name to `padloc_4.0.0_amd64.AppImage` (or whatever's in the file)
    > for it to be found.

    Here's an illustrative example of success:

    ```txt
    ./padloc_4.0.0_amd64.AppImage: OK
    ```

    And one with a tampered file:

    ```txt
    ./padloc_4.0.0_amd64.AppImage: FAILED
    sha256sum: WARNING: 1 computed checksum did NOT match
    ```
Checksums - Allow anyone to confirm source and delivered code (#467) * Checksums - Allow anyone to confirm source and delivered code For now this only has the initial step on making CSP stricter so we can use it to parse through used files. Very much WIP for now, but now it should just be a matter of writing up concise docs on how to go through the process, after generating and publishing the checksums via CI as well. Related to #331 * Lint! * Add more instructions and CI to build checksums. * Fix typo and lint * Remove CSP package dependency, build it manually. Update commands in docs, fix web extension release. * Tweak docs and webpack. CI still isn't producing a matching checksum, though. * Tweak docs for web checksums, add debugging in the checksum action, make it faster, temporarily. * Fix web checksum, add checksums and instructions for everything else Closes #467 * Fix tauri release + macos sha256sum * Remove .app checksum, since it's a directory and checksum'ing the .tar.gz seems strange. * Properly indent + fix sha256sum results (and windows line endings problem) * Include PWA for release, add instructions to change filenames when checksum fails. * Include _everything_ in the CSP now, and tweak the verification script and checksum build to also include everything, now. Still requires changes in the way to verify a published web app, where I'll have to write a script to parse through the whole CSP now. * Add TypeScript (Deno) script to parse through CSP and download matched files. Also update docs. * Tweak web checksum examples. * Remove content hashes from font files. * Try sorting files before adding to CSP, to enforce consistency. 2022-06-20 06:34:45 +00:00			`# Checksums (Linux)`

			`We use file checksums (SHA-256) to verify the source code you see matches the`
			`code served by our app. These are instructions for you to verify that too, so`
			`you don't have to trust us.`

			`NOTE: These commands are meant for Linux and should also work on macOS. For`
			`Windows systems, we suggest you run them via WSL2.`

			`## Verify checksums against source code`

			`Unfortunately, because we sign our Linux builds (both via Electron and Tauri),`
			`it's not really possible to locally build the exact same file unless you had`
			`access to our certificates and keys. You can still see how we build them here`
			`([via Electron](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/publish-release.yml#L166)`
			`and`
			`[via Tauri](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/publish-release.yml#L116)),`
			`and see how to build unsigned ones yourself`
			`([via Electron](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/build-electron.yml)`
			`and`
			`[via Tauri](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/build-tauri.yml))`
			`, though.`

			`## Verify what you're using has the same source code`

			`1. Download the Electron or Tauri AppImage or deb file.`

			`You can do that from`
			`[our releases page](https://github.com/padloc/padloc/releases) or from the`
			`store you've downloaded it from, to make sure that wasn't tampered with in`
			`the process of uploading there.`

			2. Download the latest `sha256sum-[tauri/electron]-[appimage/deb].txt` checksum
			`file:`

			NOTE: Pick one of the options above, from `tauri` or `electron`, and
			from `appimage` or `deb`, depending on what's available for that platform.
			`You can see what's available in the releases page. For the examples below,`
			we'll use `tauri` and `appimage`.

			```bash
			`wget https://github.com/padloc/padloc/releases/latest/download/sha256sum-tauri-appimage.txt`
			```

			`3. Verify checksum matches:`

			```bash
			`sha256sum -c sha256sum-tauri-appimage.txt`
			```

			You should see the `.AppImage` filename with an `OK` next to it for matching
			`checksums. You'll get a warning at the end of the script if something didn't`
			`match.`

			`> NOTE: If there's a warning about failing to find a file, your`
			> `.AppImage` file probably doesn't match what
			> `sha256sum-tauri-appimage.txt` expects, so you can change your `.AppImage`
			> file's name to `padloc_4.0.0_amd64.AppImage` (or whatever's in the file)
			`> for it to be found.`

			`Here's an illustrative example of success:`

			```txt
			`./padloc_4.0.0_amd64.AppImage: OK`
			```

			`And one with a tampered file:`

			```txt
			`./padloc_4.0.0_amd64.AppImage: FAILED`
			`sha256sum: WARNING: 1 computed checksum did NOT match`
			```