Verifying the security of your download

When you download a copy of CoyIM, how do you as a user know that no-one has modified it in the process? Since CoyIM is open source, in theory, you can read the full source code and make sure that it doesn’t do anything malicious. But how do you make sure that the downloads we offer are actually built from the same source code as you are reading? And what if someone has infected the build servers? These kinds of “supply chain attacks” are getting more common. We saw some of them during 2021 with the Solarwinds attack, for example. So how does CoyIM protect against these issues?

Let’s begin with the easiest one. The integrity of the files you download can be checked against a checksum. For each file, we will generate a hash using the SHA-256 algorithm, and then publish that checksum. You will be able to find the checksum on the Download page on the website, and you will also be able to find it on the Releases page of Github. Here, each downloadable file will have another file, ending in _checksum which contains this hash value.

If you are technically minded, you can also see the build process we use to create these releases. The definitions for them are included in the same source code as we use for the software itself. We use Github Actions for all builds, except the release builds for macOS - where we use Travis. In the source repository, you can find the .travis.yml and .github files/directories, which gives the instructions for how the builds will happen. Now, this is obviously not enough. Maybe we tampered with the releases after the build finished. Or maybe Github or Travis did something nefarious to the builds. There are many places where things can go wrong, and with security we want to reduce these risks as much as possible. We don’t want to have to trust Github, or anyone else.

If you’ve have been around security people for some time, you might wonder if we are using digital signatures to protect our downloads. The answer is no - not in the traditional way. Because we would still be in the same situation. Github could still do something bad. And you would have to trust the person doing the signature. So what is the solution to this problem? It is something called reproducible builds.

The basic idea is that every time you build the same source code, you get exactly the same binary. But how does that help? Basically, when we build a release version, Github Actions will build it using the reproducible mode. It will then publish a file that ends in _build_info. Currently, the Linux build will have the name coyim_linux_amd64_build_info. This file contains information about which version was built, and the hash for the resulting file. So far, that doesn’t really give you anything, since it’s really just the same as a hash. But if you’re wondering whether the build can be trusted, you can run the reproducible build on your own machine from the same commit. And then you can compare the the build_info file this gives you with the build information that is published as part of the release. If they differ, you have proof that something bad is happening. If they are the same, you have a strong indication that the release can be trusted. And what’s even better, once you have done this you can sign your build_info file and send this signature to the project. The CoyIM project can publish this signature, and others received. And then, when a new person wants to download the release, they can download these signatures and check them against the download as well. By following this process, you distribute the trust. You don’t have to trust any single person, but if you have enough signatures that can give you some certainty that the build can actually be trusted. For the moment, CoyIM only supports reproducible builds for Linux, but this is something we are planning to improve in the future.

All of these issues are only applicable if you download CoyIM from our website or from Github. But many people will install CoyIM from their package managers. If this is the case, you can simply trust the package managers instead. In general, they take care of things such as checksums and signatures. And yes, there’s still a possibility that they are out to get you - but since the package managers are used for almost everything installed on your computer, you have no chance protecting against that kind of attack.