pm4linux - no GPG verification

[HZxIHE]

On untarring the pminstaller.sh script, it is clear that the installer.sh file calls gwget to download the latest palemoon build (lines 208, 239) using unauthenticated http to sourceforge.

I cannot find any evidence of the integrity of this file being verified before it is installed as root. Users are threfore vulnerable to:

• MITM at ANY hop between their host and sourceforge
  Compromise of sourceforge

This is inexplicable to me in the face of http://www.palemoon.org/warning-fakes.shtml which asks users to verify downloads with GPG.
We have to trust the maintainer of the Linux verison of Palemoon, as well as the Palemoon maintainer, as well as the maintainers of the packages used in compilation. We should not have to additionally trust sourceforge and arbitrary Internet nodes.

Can this lack of verification of the integrity of the file before installing it as _root_ be assigned as a bug?

[Moonchild]

Can this lack of verification of the integrity of the file before installing it as _root_ be assigned as a bug?

It can be assigned as a "to-do" for the next release.
As-is we're a little short-handed for the Linux builds. If you don't trust the binaries to be delivered securely, and you think MitM or SourceForge is an actual concern, you can build Pale Moon on Linux from source, yourself, as well. It's a little less involved than Windows builds.

[HZxIHE]

Thank you for your response and for PaleMoon - I am switching away from Firefox due the inclusion of DRM.

Compromise of sourceforge, any of the sourceforge mirrors, or MITM at any hop (including transparent HTTP proxies at ISPs) is a legitimate concern.
Especially when you are installing software which wants root access. I cannot find the digital signatures for the source code on your public FTP.

Your average 15 year old script kiddie could MITM a PM download in Starbucks with a compromised binary.

The main Linux distros verify signatures of all software passing through the package manager. This is sensible. If you would like to work with the Fedora, Debian, etc repo maintainers this would be the best way for *nix users to get PM. At a bare minimum though, any binaries offered should be digitally signed, ideally with a GPG key we should be able to trust. For example, your GPG key should be signed by and trusted by as many people as possible.

I'm aware this is open source, so I should be volunteering time / skills where possible rather than just making requests. Obviously I'm not in a position to do anything useful like sign the binaries however.

[Moonchild]

I'll get a gpg sig on the FTP in a minute. -- done.

MitM is not that easy, unless you're already on a local net that is untrusted, by the way. as the name says, the attacker has to be literally "in the middle".

For example, your GPG key should be signed by and trusted by as many people as possible.

Feel free to sign it.

[HZxIHE]

That is most prompt and helpful. Thank you.
Building my own from source now.