Merge pull request #484 from padloc/feature/edge-browser-extension

Add Edge checksum information
2022-06-30 09:43:42 +01:00 · 2022-06-30 09:43:42 +01:00 · 14fcd1bf25
parent 8a2ba75e14 841d23cf58
commit 14fcd1bf25
4 changed files with 67 additions and 5 deletions
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@ -84,13 +84,13 @@ jobs:
                  file: packages/extension/dist/web-ext-artifacts/padloc-${{ env.PL_VENDOR_VERSION }}.${{ env.RELEASE_BUILD }}.xpi
                  asset_name: padloc-web-extension-${{ env.PL_VENDOR_VERSION }}.${{ env.RELEASE_BUILD }}.xpi
                  prerelease: true
-            - name: Pack for Chrome Extension
+            - name: Pack for Chrome/Edge Extension
              uses: cardinalby/webext-buildtools-pack-extension-dir-action@v1
              with:
                  extensionDir: packages/extension/dist
                  zipFilePath: packages/extension/padloc.zip
                  zipIgnore: web-ext-artifacts/**|*.xpi
-            - name: Upload Unsigned Web Extension (Chrome)
+            - name: Upload Unsigned Web Extension (Chrome/Edge)
              uses: svenstaro/upload-release-action@2.2.1
              with:
                  repo_token: ${{ secrets.GITHUB_TOKEN }}
@ -98,13 +98,13 @@ jobs:
                  file: packages/extension/padloc.zip
                  asset_name: padloc-web-extension-${{ env.PL_VENDOR_VERSION }}.${{ env.RELEASE_BUILD }}-unsigned.zip
                  prerelease: true
-            - name: Sign for Chrome
+            - name: Sign for Chrome/Edge
              uses: cardinalby/webext-buildtools-chrome-crx-action@v2
              with:
                  zipFilePath: packages/extension/padloc.zip
                  crxFilePath: packages/extension/padloc-signed.crx
                  privateKey: ${{ secrets.PL_WEB_EXTENSION_CHROME_CRX_PRIVATE_KEY }}
-            - name: Upload Signed Web Extension (Chrome)
+            - name: Upload Signed Web Extension (Chrome/Edge)
              uses: svenstaro/upload-release-action@2.2.1
              with:
                  repo_token: ${{ secrets.GITHUB_TOKEN }}
--- a/docs/checksums/README.md
+++ b/docs/checksums/README.md
@ -12,6 +12,7 @@ In here you can find ways to verify the checksums for the different platforms:
 -   [Web](web)
 -   [Firefox](firefox)
 -   [Chrome](chrome)
+-   [Edge](edge)
 -   [Android](android)
 -   [iOS](ios)
 -   [Linux](linux)
--- a/docs/checksums/chrome/README.md
+++ b/docs/checksums/chrome/README.md
@ -38,7 +38,7 @@ though.
    sha256sum -c sha256sum-crx.txt
    ```

-    You should see the `.xpi` filename with an `OK` next to it for matching
+    You should see the `.crx` filename with an `OK` next to it for matching
    checksums. You'll get a warning at the end of the script if something didn't
    match.

--- a/docs/checksums/edge/README.md
+++ b/docs/checksums/edge/README.md
@ -0,0 +1,61 @@
+# Checksums (Edge)
+
+We use file checksums (SHA-256) to verify the source code you see matches the
+code served by our app. These are instructions for you to verify that too, so
+you don't have to trust us.
+
+**NOTE:** These commands are meant for Linux and should also work on macOS. For
+Windows systems, we suggest you run them via WSL2.
+
+## Verify checksums against source code
+
+Unfortunately, because we sign our Edge builds, it's not really possible to
+locally build the exact same file unless you had access to our certificates and
+keys. You can still
+[see how we build them here](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/publish-release.yml#L54),
+and
+[see how to build unsigned ones yourself](https://github.com/padloc/padloc/blob/ea05def083df89823d7c15c7bbeb6ef1a1b40383/.github/workflows/build-web-extension.yml),
+though.
+
+## Verify what you're using has the same source code
+
+1. Download the crx file.
+
+    You can do that from
+    [our releases page](https://github.com/padloc/padloc/releases) or from the
+    store you've downloaded it from, to make sure that wasn't tampered with in
+    the process of uploading there.
+
+2. Download the latest `sha256sum-crx.txt` checksum file:
+
+    ```bash
+    wget https://github.com/padloc/padloc/releases/latest/download/sha256sum-crx.txt
+    ```
+
+3. Verify checksum matches:
+
+    ```bash
+    sha256sum -c sha256sum-crx.txt
+    ```
+
+    You should see the `.crx` filename with an `OK` next to it for matching
+    checksums. You'll get a warning at the end of the script if something didn't
+    match.
+
+    > **NOTE:** If there's a warning about failing to find a file, your `.crx`
+    > file probably doesn't match what `sha256sum-crx.txt` expects, so you can
+    > change your `.crx` file's name to `padloc-signed.crx` (or whatever's in
+    > the file) for it to be found.
+
+    Here's an illustrative example of success:
+
+    ```txt
+    ./padloc-signed.crx: OK
+    ```
+
+    And one with a tampered file:
+
+    ```txt
+    ./padloc-signed.crx: FAILED
+    sha256sum: WARNING: 1 computed checksum did NOT match
+    ```