Topic: Tutanota email client
I am considering to download an use the Tutanota email client for Linux. I am a bit reluctant to do so because I have always wanted to keep my Hyperbola system free from any sofware not available in the official repositories.
When reading how to verify the downloaded file of the email client, I find that the process is different to the one that I am accustomed with gpg:
* Utility to codesign the finished Installers. * This enables the App to verify the authenticity of the Updates, and * enables the User to verify the authenticity of their manually downloaded * Installer with the openssl utility. * * The installer signatures are provided as separate files: * https://mail.tutanota.com/desktop/tutanota-desktop-win-sig.bin (for Windows) * https://mail.tutanota.com/desktop/tutanota-desktop-mac-sig.bin (for Mac) * https://mail.tutanota.com/desktop/tutanota-desktop-linux-sig.bin (for Linux) * * They allow verifying the initial download via * * # get public key from github * wget https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem * or * curl https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem > tutao-pub.pem * # validate the signature against public key * openssl dgst -sha512 -verify tutao-pub.pem -signature signature.bin tutanota.installer.ext * * openssl should Print 'Verified OK' after the second command if the signature matches the certificate * * This prevents an attacker from getting forged Installers/updates installed/applied * * get pem cert from pfx: * openssl pkcs12 -in comodo-codesign.pfx -clcerts -nokeys -out tutao-cert.pem * * get private key from pfx: * openssl pkcs12 -in comodo-codesign.pfx -nocerts -out tutao.pem * * get public key from pem cert: * openssl x509 -pubkey -noout -in tutao-cert.pem > tutao-pub.pem * */
Honestly, I do not understand anything, Should I get the "pem cert" and private key from pfx along with the public key from cert before doing "openssl dgst -sha512 -verify ...". That is should I try the last two commands before trying the three first ones? Does anyone have any idea about this?
I wish everything was as simple as installing directly from the Hyperbola repositories as I did with the mobile app when downloading it from F-Droid but I guess it is just something personal and that there might not be a real demand for that package to be considered for being effectively uploaded to the repositories. Also another point that plays agaisnt a hypothetical inclusion would be the fact that the desktop client is still in beta version.
Anyway, I leave here my suggestion for the case than in the future there is a real demmand for it.