Description
Is your feature request related to a problem? Please describe.
It would be nice if the stacks-blockchain releases were signed, similar to what is seen with Bitcoin Core.
Describe the solution you'd like
There are two things that would need to be established:
- the list of approved signers
- the workflow for release signatures
In the method described here by Debian, it would require someone to download the release, verify the release, sign it, then upload the detached signature to the GitHub release page.
This is less ideal as it relies on one approved signer, but the added security would allow for other websites to reliably host downloads and provide release information, leading to further decentralization.
Describe alternatives you've considered
I am sure there are other methods and may be some missing steps listed above, but at the very least, I wanted to put this idea out there and find the correct road to implementation.
Bitcoin uses Gitian as "a secure source-control oriented software distribution method," with a documented release process, a repository of signed releases, and documentation for their Gitian building process.
Additional context
CoinDesk released an article in January covering some of the challenges around decentralizing the core development of Bitcoin, and Stacks is in a great position to balance control between the Stacks Internet Open Foundation and other ecosystem entities involved in core development.
Since verifying the signature is not required, this would have no impact on existing miners.
There may be an interesting use case to host the releases using Gaia storage, either through a domain linked to Runkod as a service, or through a direct link to the release and/or signature on a Gaia hub.
There was a phishing attempt via blockstack[dot]live over Discord that appeared twice, cloning both the blockstack.org and stacks.org website in order to trick users into downloading a Windows executable with a possible remote access trojan.