• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Integrity of dashd when using dashmate and other tools

I would like to start a discussion on a topic that has followed me for some time: How do we ensure the integrity of the software running on our systems? This question is essential because our systems store digital assets.

Question: How is the integrity of dashd (and the other parts for Platform) guraranteed when using dashmate? The official masternode and evonode documentation on docs.dash.org states
Verify the authenticity of your download by checking its detached signature against the public key published by the Dash Core development team. All releases of Dash are signed using GPG ...
This is good advice and part of common security best practices. But I couldn't find any calls to gpg or signature checking within dashmate. It seems that the dashd docker images also don't have any signatures. (And then there is this somewhat separate issue: A measure of trust is placed on npm, node, and all the other packages downloaded when you issue npm -g install dashmate.)

@DCG: What's the release process for dashd images that are built for use in dashmate? Since Pasta and the Core team provide signatures, I'd like other infrastructure related tools like dashmate to use and benefit from them. Otherwise we open ourselves up to certain attack vectors.

Unfortunately, Masternode-Zeus does not perform any signature checks either. It only checks the SHA256 hashes, but downloads them from the same source as the binary file and doesn't check their integrity, which makes using them pointless. You could use the hash value in order to detect a bit flip, but that's about it. Using the hash value does not guarantee the integrity of the download in any way, if you don't check the signature.

I greatly appreciate the work of pshenmic, xkcd, and others. Especially pshenmic and xkcd have always been very helpful. This post is in no way meant to discredit their valuable work. I simply would like to start a discussion on the topic mentioned above, especially since I haven't looked into security aspects of dashmate, docker, npm, and node in more detail yet, so I could be wrong. Maybe others with more expertise in those fields can chime in.