Security Improvement by Distrusting the Infrastructure - Signed Binary Releases

The Bitwarden security model follows a zero-knowledge architecture, which is great for security because a user does not have to trust the infrastructure. Following this idea, it makes sense to sign the release binaries with a trusted developer key.

Why isn’t this already part of Bitwarden’s security best practices?

PGP could be used or the more sleek signify.

What is this? The certificate of the Bitwarden website? I talking about signatures for the binary releases not the web page!

images already have digital signatures

I think the .deb and .rpm binaries missing signatures. Can you please check?

I’m never certain without the AppImage tool but I can’t see a signature on the Appimage, so the Linux desktop app does not appear signed in any of it’s 3 packages.
I think the Windows & Mac desktop apps and the browser addons all are signed.

You are right. However, Linux should be signed as well. This is a fundamental flaw of Bitwarden’s infrastructure.

Why are the released binaries (deb, rpm, and all others) not (PGP) signed? This is a missing best security practice and should be adopted by developers as soon as possible!

2 Likes

THIS. Would make it much easier to control in security focused arenas that block/trust based on binary signature.

What exactly do you mean? I am a Linux user and the only thing I would like to see is a binary signature, like even my damn Android music player developer team does. Dear Bitwarden developers, what is wrong with you?

Have you noticed that a checksum file has been included in the release assets of the latest release 2023.2.0 ?
https://github.com/bitwarden/clients/releases/download/desktop-v2023.2.0/sha256-checksums.txt

It is not quite as good a signature but, provided you trust github, you can use the SHA256 hashes to validate the package with SHA256SUM

sha256sum Bitwarden-2023.2.0-x86_64.AppImage 
693c2499fd01b66a963222368d3537c6d09441e826437512e1c89fb9b9714005  Bitwarden-2023.2.0-x86_64.AppImage

Bitwarden is not just any program. BW should really be providing signed packages for Linux.

A hash isn’t a signature. Do your security homework please.

Given that this is a security product all binaries really need to be signed by a trusted key. I’m shocked this hasn’t been addressed in the last 8 months. Does anyone know who the Bitwarden release engineer is and how to contact them?