Sounds like a trust on first use scheme so that you get a public key from the distributor, and use that to verify the application bundle on subsequent use. I actually do like this because it solves for a paranoia I have with password managers, in that they can claim all they want that decryption happens clientside but they're serving me a JavaScript bundle and how am I supposed to believe that isn't changed on the fly via supply chain attack? So at least this adds a step that the application code that is delivered from the server must be signed by the author.
Edit: client is source-available (nonfree), I actually hadn't come across npm verify, so thanks for that
Exactly! And just to clarify, the `verify` script is a Cyph feature that I added to allow comparing a local reproducible build against the production build, not a general npm feature. Running `npm run verify` in any random JS project won't do anything unless the project happens to have a script configured with that name.
IMHO their claim is invalidated by appeal to patents. Patents are a sure fire way to ensure that even the most clever of cryptographic constructions is never used in the real world.
Open is better than closed. Non-patented encumbered is better that encumbered.
12 comments
[ 3.5 ms ] story [ 39.0 ms ] threadhttps://patents.google.com/patent/US9906369B2
Sounds like a trust on first use scheme so that you get a public key from the distributor, and use that to verify the application bundle on subsequent use. I actually do like this because it solves for a paranoia I have with password managers, in that they can claim all they want that decryption happens clientside but they're serving me a JavaScript bundle and how am I supposed to believe that isn't changed on the fly via supply chain attack? So at least this adds a step that the application code that is delivered from the server must be signed by the author.
Edit: client is source-available (nonfree), I actually hadn't come across npm verify, so thanks for that
https://github.com/cyph/cyph?tab=License-1-ov-file
Run, don’t walk away from vendors making these claims.
[0]: https://www.cyph.com/websign
Open is better than closed. Non-patented encumbered is better that encumbered.