From Newsgroup: comp.mobile.android

Hi all,

If you are a software developer or maintainer of .apk files,
you may appreciate the release of yubisgner v0.1.1 desktop,
which allows you to detach sign your .apk files, so that third
parties know the .apks are really from you, when presented on
websites.

The advantage of yubisigner, compared to GnuPG and signify-openbsd
is that you can't fake the comment header, as can be done with GnuPG
or signify-openbsd, because it uses strict header validation.

For creating detached signatures you need a Yubikey and the detached
signatures include also four popular hashes, so that people without
yubisigner can validate computed hashes with their favorite hashing tool.

Verifying .yubisigner .sig files do not require a YubiKey nor collecting
public signing keys of the authors .apks.

Please take a look at yubisigner and if you find it useful leave a comment.

Important! If you look under Releases you will also find besides the
.sig files .ots files which are time stamping files from opentimestamps.org.

Additionaly I have also included my yubisigner signing certificate in a .pdf, which is eIDAS certified, time stamped too, so that users of my software know it is really from me. :-)

I do not know if developers outside the EU have something similiar to eIDAS, but I think this could be an excellent workflow for releasing software,
when using yubisigner with opentimestamps.org and eIDAS certification.

Hope you like my proposal!

https://github.com/Ch1ffrepunk/yubisigner.

Regards
Stefan
--
https://oc2mx.net
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

Stefan Claas wrote:

Hi all,

If you are a software developer or maintainer of .apk files,
you may appreciate the release of yubisgner v0.1.1 desktop,
which allows you to detach sign your .apk files, so that third
parties know the .apks are really from you, when presented on
websites.

The advantage of yubisigner, compared to GnuPG and signify-openbsd
is that you can't fake the comment header, as can be done with GnuPG
or signify-openbsd, because it uses strict header validation.

For creating detached signatures you need a Yubikey and the detached signatures include also four popular hashes, so that people without yubisigner can validate computed hashes with their favorite hashing tool.

Verifying .yubisigner .sig files do not require a YubiKey nor collecting public signing keys of the authors .apks.

Please take a look at yubisigner and if you find it useful leave a comment.

Important! If you look under Releases you will also find besides the
.sig files .ots files which are time stamping files from opentimestamps.org.

Additionaly I have also included my yubisigner signing certificate in a .pdf, which is eIDAS certified, time stamped too, so that users of my software know it is really from me. :-)

I do not know if developers outside the EU have something similiar to eIDAS, but I think this could be an excellent workflow for releasing software,
when using yubisigner with opentimestamps.org and eIDAS certification.

Hope you like my proposal!

https://github.com/Ch1ffrepunk/yubisigner.

yubisigner v0.1.2 released, which has now a CMT (Create Merkle Tree) and
VMT (Verify Merkle Tree) button. This is very useful for the source code repository, so that third parties can not modify the source code, where
the merkle-tree.txt file should be signed with yubisigner too and also additionally time stamped. This makes yubisigner probably the best signing
tool currently available.

https://github.com/Ch1ffr3punk/yubisigner

Hope you like!

https://oc2mx.net
--- Synchronet 3.21d-Linux NewsLink 1.2