The Bitwarden security model follows a zero-knowledge architecture, which is great for security because a user does not have to trust the infrastructure. Following this idea, it makes sense to sign the release binaries with a trusted developer key.
Why isn’t this already part of Bitwarden’s security best practices?
PGP could be used or the more sleek signify.
What is this? The certificate of the Bitwarden website? I talking about signatures for the binary releases not the web page!
I think the .deb and .rpm binaries missing signatures. Can you please check?
I’m never certain without the AppImage tool but I can’t see a signature on the Appimage, so the Linux desktop app does not appear signed in any of it’s 3 packages.
I think the Windows & Mac desktop apps and the browser addons all are signed.
You are right. However, Linux should be signed as well. This is a fundamental flaw of Bitwarden’s infrastructure.
Why are the released binaries (deb, rpm, and all others) not (PGP) signed? This is a missing best security practice and should be adopted by developers as soon as possible!
THIS. Would make it much easier to control in security focused arenas that block/trust based on binary signature.
What exactly do you mean? I am a Linux user and the only thing I would like to see is a binary signature, like even my damn Android music player developer team does. Dear Bitwarden developers, what is wrong with you?
Have you noticed that a checksum file has been included in the release assets of the latest release 2023.2.0 ?
https://github.com/bitwarden/clients/releases/download/desktop-v2023.2.0/sha256-checksums.txt
It is not quite as good a signature but, provided you trust github, you can use the SHA256 hashes to validate the package with SHA256SUM
sha256sum Bitwarden-2023.2.0-x86_64.AppImage
693c2499fd01b66a963222368d3537c6d09441e826437512e1c89fb9b9714005 Bitwarden-2023.2.0-x86_64.AppImage
Bitwarden is not just any program. BW should really be providing signed packages for Linux.
A hash isn’t a signature. Do your security homework please.