Need to add "gpg clear-signed checksums so users can check the PGP integrity of builds and binary downloads of the wallets."

[cryptozoidberg]

Received an email form one of our supporters, that address an security issue with *nix builds.

Quote of the email below:

Hello Zano Team,

I really want to try Zano, but the lack of GPG-signed releases makes me
hesitant and raises doubts about the validity of the project. Most valid
open source crypto wallets projects for like Bitcoin, Monero, and Firo
all have signed releases. I highly suggest creating a dedicated
signing-key for the project. Here are some best practices and how to do
this.

1. Use an Air-Gapped Computer to generate a key with these two options
   (a. or b. both generates key in volatile memory aka RAM)
   a. Use a live system to generate the key to export it.
   b. Use a system with /tmp mounted to tmpfs
   1. Generate Key in /tmp: gpg --full-generate-key --homedir=/tmp/.gnupg/
   2. Export Key to mounted USB drive:gpg --homedir=/tmp/.gnupg/ --armor --export <[email protected]> > /media/user/USB_DRIVE/public_key.asc
   (Make sure key ID [email protected] is correct and the user and USB_DRIVE is correct, e.g., /dev/sdb.)

2. Limit Key Usage

   1. Signing Only: If the key is only used for signing, ensure that it is not used for encryption or other purposes. This limits exposure and potential misuse.

3. Subkeys: Consider using subkeys for different purposes (e.g., one for signing, one for encryption). This allows you to revoke a
   subkey without affecting the primary key.

4. Public Key Distribution

   1. Secure Distribution: When distributing the public key, ensure it is done securely. Use trusted channels and verify the integrity of the key.
   2. Store it in different places to avoid a single point of failure (e.g., GitHub and your website).

5. Decide to whether to sign releases manually or with Github actions
   a. Manually with Git hooks
   (you can set up a post-receive or post-commit hook that generates
   checksums, signs them, and handles the release process.)
   1. cd .git/hooks
   2. touch post-commit
   3. nano post-commit

    4. EXAMPLE SCRIPT
   

#!/bin/bash
# Define the directory containing release files
RELEASE_DIR="release"  # Change this to your actual release directory

# Check if the release directory exists
if [ -d "$RELEASE_DIR" ]; then
    # Navigate to the release directory
    cd "$RELEASE_DIR"

    # Generate checksums
    echo "Generating SHA256SUMS.txt..."
    sha256sum * > SHA256SUMS.txt

    # Clear-sign the checksums
    echo "Clear-signing SHA256SUMS.txt..."
    gpg --clearsign SHA256SUMS.txt -o SHA256SUMS.asc

    echo "Checksums and signature created."
else
    echo "Release directory $RELEASE_DIR not found. Skipping signing."
fi

	b. Using Github actions (release.yml)

name: Release

on:
  release:
    types: [published]

jobs:
  generate-checksums-and-sign:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up GPG
        run: |
          echo "$GPG_PRIVATE_KEY" | gpg --import --batch --yes

      - name: Generate checksums
        run: |
          # Create SHA256SUMS.txt with checksums for all files in the release
          echo "Generating SHA256SUMS.txt..."
          for file in ${{ github.event.release.assets.*.name }}; do
            sha256sum "$file" >> SHA256SUMS.txt
          done

      - name: Clear-sign checksums
        run: |
          echo "Clear-signing SHA256SUMS.txt..."


          gpg --clearsign SHA256SUMS.txt -o SHA256SUMS

      - name: Upload checksums and signature
        uses: actions/upload-artifact@v2
        with:
          name: checksums-and-signature
          path: SHA256SUMS