Merge pull request #484 from padloc/feature/edge-browser-extension
Add Edge checksum information
This commit is contained in:
commit
14fcd1bf25
|
@ -84,13 +84,13 @@ jobs:
|
|||
file: packages/extension/dist/web-ext-artifacts/padloc-${{ env.PL_VENDOR_VERSION }}.${{ env.RELEASE_BUILD }}.xpi
|
||||
asset_name: padloc-web-extension-${{ env.PL_VENDOR_VERSION }}.${{ env.RELEASE_BUILD }}.xpi
|
||||
prerelease: true
|
||||
- name: Pack for Chrome Extension
|
||||
- name: Pack for Chrome/Edge Extension
|
||||
uses: cardinalby/webext-buildtools-pack-extension-dir-action@v1
|
||||
with:
|
||||
extensionDir: packages/extension/dist
|
||||
zipFilePath: packages/extension/padloc.zip
|
||||
zipIgnore: web-ext-artifacts/**|*.xpi
|
||||
- name: Upload Unsigned Web Extension (Chrome)
|
||||
- name: Upload Unsigned Web Extension (Chrome/Edge)
|
||||
uses: svenstaro/upload-release-action@2.2.1
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
@ -98,13 +98,13 @@ jobs:
|
|||
file: packages/extension/padloc.zip
|
||||
asset_name: padloc-web-extension-${{ env.PL_VENDOR_VERSION }}.${{ env.RELEASE_BUILD }}-unsigned.zip
|
||||
prerelease: true
|
||||
- name: Sign for Chrome
|
||||
- name: Sign for Chrome/Edge
|
||||
uses: cardinalby/webext-buildtools-chrome-crx-action@v2
|
||||
with:
|
||||
zipFilePath: packages/extension/padloc.zip
|
||||
crxFilePath: packages/extension/padloc-signed.crx
|
||||
privateKey: ${{ secrets.PL_WEB_EXTENSION_CHROME_CRX_PRIVATE_KEY }}
|
||||
- name: Upload Signed Web Extension (Chrome)
|
||||
- name: Upload Signed Web Extension (Chrome/Edge)
|
||||
uses: svenstaro/upload-release-action@2.2.1
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
|
@ -12,6 +12,7 @@ In here you can find ways to verify the checksums for the different platforms:
|
|||
- [Web](web)
|
||||
- [Firefox](firefox)
|
||||
- [Chrome](chrome)
|
||||
- [Edge](edge)
|
||||
- [Android](android)
|
||||
- [iOS](ios)
|
||||
- [Linux](linux)
|
||||
|
|
|
@ -38,7 +38,7 @@ though.
|
|||
sha256sum -c sha256sum-crx.txt
|
||||
```
|
||||
|
||||
You should see the `.xpi` filename with an `OK` next to it for matching
|
||||
You should see the `.crx` filename with an `OK` next to it for matching
|
||||
checksums. You'll get a warning at the end of the script if something didn't
|
||||
match.
|
||||
|
||||
|
|
|
@ -0,0 +1,61 @@
|
|||
# Checksums (Edge)
|
||||
|
||||
We use file checksums (SHA-256) to verify the source code you see matches the
|
||||
code served by our app. These are instructions for you to verify that too, so
|
||||
you don't have to trust us.
|
||||
|
||||
**NOTE:** These commands are meant for Linux and should also work on macOS. For
|
||||
Windows systems, we suggest you run them via WSL2.
|
||||
|
||||
## Verify checksums against source code
|
||||
|
||||
Unfortunately, because we sign our Edge builds, it's not really possible to
|
||||
locally build the exact same file unless you had access to our certificates and
|
||||
keys. You can still
|
||||
[see how we build them here](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/publish-release.yml#L54),
|
||||
and
|
||||
[see how to build unsigned ones yourself](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/build-web-extension.yml),
|
||||
though.
|
||||
|
||||
## Verify what you're using has the same source code
|
||||
|
||||
1. Download the crx file.
|
||||
|
||||
You can do that from
|
||||
[our releases page](https://github.com/padloc/padloc/releases) or from the
|
||||
store you've downloaded it from, to make sure that wasn't tampered with in
|
||||
the process of uploading there.
|
||||
|
||||
2. Download the latest `sha256sum-crx.txt` checksum file:
|
||||
|
||||
```bash
|
||||
wget https://github.com/padloc/padloc/releases/latest/download/sha256sum-crx.txt
|
||||
```
|
||||
|
||||
3. Verify checksum matches:
|
||||
|
||||
```bash
|
||||
sha256sum -c sha256sum-crx.txt
|
||||
```
|
||||
|
||||
You should see the `.crx` filename with an `OK` next to it for matching
|
||||
checksums. You'll get a warning at the end of the script if something didn't
|
||||
match.
|
||||
|
||||
> **NOTE:** If there's a warning about failing to find a file, your `.crx`
|
||||
> file probably doesn't match what `sha256sum-crx.txt` expects, so you can
|
||||
> change your `.crx` file's name to `padloc-signed.crx` (or whatever's in
|
||||
> the file) for it to be found.
|
||||
|
||||
Here's an illustrative example of success:
|
||||
|
||||
```txt
|
||||
./padloc-signed.crx: OK
|
||||
```
|
||||
|
||||
And one with a tampered file:
|
||||
|
||||
```txt
|
||||
./padloc-signed.crx: FAILED
|
||||
sha256sum: WARNING: 1 computed checksum did NOT match
|
||||
```
|
Loading…
Reference in New Issue