Hi,
I am looking for the signature file to verify the deb file Download for Bitwarden Desktop. Can anyone point me to it? I have tried to find it but can’t anywhere.
Thanks
You seem to be the only security minded user here. It seems super wired that Bitwarden does not release signed binaries. Dear Bitwarden developers, why is this not already part of your security best practices?
1 Like
I’m not that familiar with signed binaries. What is the risk of using an unsigned binary if I download the file directly from the Bitwarden website?
That someone will deliver you a malicious binary and gain access to all your data. If developers signed locally on their devices before publishing (as any sane developer who cares even a little bit about security does), there would be no need to trust the infrastructure (download sources, website, etc.) itself.
It seems like some kind of sick joke that a password management product by a company that claims to be security conscious would not provide ANY kind of download safeguard for their linux downloads.
I have been online long enough to see dozens of instances when websites get exploited and download links get altered to feed malicious versions to users. It is SO TRIVIAL to mitigate this risk by simply digitally signing the files. You could implement it in MINUTES.
If you don’t want to do this, at least separately host a published SHA256 hash of the authentic file so we can at least verify the integrity of the original file even if you won’t allow us to sleep well enough to know your product is the actual file you intended us to be running.
Hi @0x77696c6c,
thanks for the feedback. Just to note, that SHA256 checksum are already available on all Github released binaries: Release Desktop v2025.6.1 · bitwarden/clients · GitHub
These are all artefacts that are used for publishing (download from our website or stores)
Previously this was shared via a separate sha256-checksums.txt in that same space as seen on: Release Desktop v2025.5.1 · bitwarden/clients · GitHub
I have already informed the team to update the help site portion explaining how to validate a release artefact.
Kind regards,
Daniel
Especially for the desktop apps, this should probably also be added on https://bitwarden.com/download/#downloads-desktop as the installers can also be downloaded there directly.
Good idea, I’ve also passed your feedback on to the team.
1 Like
OK, better than nothing - but not enough.
The reason we do not use hashes for this job is because if an attacker has access to intercept and modify the link or the file, then they presumably also have access to intercept or modify the file that says what the “hash should be”.
Since you host both of these in the same place, its even more likely this isn’t meaningful in risk terms
When will you do the decent thing and implement signatures? Or if you wish to continue spending more time than it would take to just implement signatures on less useful ideas, at the very least, host the hashes somewhere else and have that location outside of your dev pipeline.
I am 100% on this there HAVE TO BE PGP AND THE HASH HAVE TO BE ON ANOTHER WEBSITE. Maybe add the hashes to a tweet on their tweeter account or the dev’s, etc. BUT it would be much much more secure signing with a PGP key. it can be a Hashes.txt file with all the hashes or directly on each version of the software files. It have been 3 MONTHS!! And no answer… Their intentions are clear here.
They do all the hard work on creating the software that works and all that but they don’t cross the finish line and give up one step before it…