Request for Security Issue: Installer downloads the actual compiled files instead of being a full installer

[astrometrics]

I believe it makes it difficult to check signatures, hashes that are being installed... that's potentially dangerous in my opinion. Another option would be to make it possible to audit exactly what's being installed.

[bsclifton]

I believe we have this captured with #5830

There is still work needing to be done on the Chromium build to ensure that a compile always produces the same results. But once that is available, it should be easy to audit the code being built 😄

[astrometrics]

Hi, I'd say that's halfway of what i wrote. The deterministic build signature is a good thing, but I'd say Brave should aim to include the tools to check the checksums (with a list of compiled files their actual checksums/signatures versus what's published by Brave) as part of the install/update process. That would be a new feature that would show the attention to detail in regards to security.

[bsclifton]

ah ok - thanks for clarifying 😄

[rebron]

cc: @mbacchi Agree with priority label on this one?

[mbacchi]

cc: @mbacchi Agree with priority label on this one?

This is an interesting request, but would require a solution that takes the Chromium deterministic build to another level, and more difficult. For instance, the fact that we sign the binaries on Windows and Mac means the checksums are now different than the raw binaries produced during the build. This would show a divergence from the binaries that a user might produce on their own machine, unless we generated the checksum prior to signing.

I think the priority is accurate as it would require significant effort to implement.

[astrometrics]

Hi, I'd say that's halfway of what i wrote. The deterministic build signature is a good thing, but I'd say Brave should aim to include the tools to check the checksums (with a list of compiled files their actual checksums/signatures versus what's published by Brave) as part of the install/update process. That would be a new feature that would show the attention to detail in regards to security.

[bsclifton]

ah ok - thanks for clarifying 😄

[rebron]

cc: @mbacchi Agree with priority label on this one?

[mbacchi]

cc: @mbacchi Agree with priority label on this one?

This is an interesting request, but would require a solution that takes the Chromium deterministic build to another level, and more difficult. For instance, the fact that we sign the binaries on Windows and Mac means the checksums are now different than the raw binaries produced during the build. This would show a divergence from the binaries that a user might produce on their own machine, unless we generated the checksum prior to signing.

I think the priority is accurate as it would require significant effort to implement.

[astrometrics]

The visibility for the final user should probably be in Settings/About Brave or something like that. There should be a list of the local DLLs, EXEs, etc and their SHA256 (or something similar) versus the ones published by Brave for that platform. Also there should be the URL with the signatures published by brave and instructions to check yourself how to check the local files... you get the drift. A less technical person or a person less involved with Brave browser lifecycle could then check the object files themselves if they wanted to.
There's also the issue the installer is a "shallow one" that seems to actually download compiled files to the local computer... Why now a full "immutable" installer? Why not a portable solution (with no installer at all, the full program provided as a zip file) provided by Brave (not by someone like portableapps)?

[astrometrics]

That kind of rigour may be important specially nowadays as things like automatic updates could be instrumentalized to use fingerprinting versus "special updates" for "users of interest". That could be real a risk for Brave and for the userbase.

[pAulseperformance]

Is this why there are no hash signatures included in the brave downloads? I've been looking everywhere for signatures. MD1, sha256 etc.

[mihaiplesa]

Thanks to @oajara you can now see checksums added for each binary in GitHub releases as in https://github.com/brave/brave-browser/releases/tag/v1.42.57