Signed firmware


#1

Maybe I missed it. Is there signed firmware for release binaries? Thought I would upgrade my NitroKey Storage.
Something like gpg --verify xxxx.tar.gz.sig xxxx.tar.gz. Or at least sha sums preferably signed.

All the best
Erik


#2

Hi @ErikAdler!

Indeed we missed the signature. I will upload it today and let you know.


#3

Hi! Sorry for delay.

Here it is at v0.50 release page.
I have confirmed by second channel the firmware on Github is valid, made a signature and uploaded it along with my public GPG key (szczepan_at_nitrokey.gpg).


#4

Awesome. Thanks a lot =)


#5

BTW, manual update signature verification is error-prone and likely many people forget it/do not do so. It would be better to automate that, on Linux with LVFS, which provides a much more seaming-less solution: