verify janus on client side

[splix]

Currently all verification of Janus files is made by janus itself. Which means that if a hacker got access to Janus git repo, he can change verification process too, including changing PGP pubkey. So you shouldn't download and verify from same place, because if it will be compromised, it will be everything at once.

So more secure installation process should look like:

gpg --import .janus-gpg.txt
curl -O https://raw.githubusercontent.com/ethereumproject/janus/master/get-windows.sh
curl -O https://raw.githubusercontent.com/ethereumproject/janus/master/get-windows.sh.asc
gpg --verify get-windows.sh.asc
bash get-windows.sh

Where .janus-gpg.txt MUST be provided with application sources (i.e. committed into Geth/Emerald/etc).

But that brings another problem, you need a versioning for that stuff. Because if you'll decide to to change your PGP key at some point, every dependent project will stop working until they will import your new key. As a workaround you can give a link pointing to a tag, instead of master branch. (also, just realised, a link to particular commit maybe a useful for security too, because it will be hard to forge a commit, but I don't think it supposed to be used this way)

[whilei]

Noted. Thinking about it.

[whilei]

The installer scripts use the ethereumproject/volunteer repo to download my signing GPG key, I've updated them to use a specific commit: https://github.com/ethereumproject/janus/blob/master/get.sh#L18.

I've also provided signatures for the installer scripts themselves, which can be used similarly to the verification for the release binary itself.

[splix]

I mean this get.sh is still in same repo, so if a hacker will get access, he can edit both get.sh file to remove validation, and add any extra stuff he needs, like patching geth build to log all private keys to a remote server