Feeling secure with Bintray downloads

UPDATE: As of May 1, 2021 Bintray services will no longer be available (ConanCenter and JCenter are not affected) for more information read the Centers Deprecation Blog

Remember our take on .asc files? The thing is, digital certificates alone cannot guarantee the identity of someone. To fully trust someone there needs to exist a reliable Web of Trust (WoT) that leaves little to no doubt that the signer is who he claims to be.

So what’s the solution then? Use Bintray as a decentralized source of trust to validate the author’s public web identity in order to verify that he is who you think he is. Once this identity can be recognized, it can be used to decide whether the packages the user has signed, and which you are about to download deserve your trust or not.

But what is a “web identity” and how can you trust it? If we are talking about developers, it will probably be their Twitter account, GitHub account (and, maybe others like Google+, Bitbucket, etc.). And how you can be sure that the author is not listing a fake profile? By using OAuth.

You can authorize your Bintray profile with Twitter, GitHub and Google+ and provide your users with the confidence that the files they download come from who you claim to be:

Once your profile is authorized (the authorized profiles are clearly marked on your Bintray author page with checkboxes, as in the screenshot below), the users of your repositories and packages can validate your identity by peeking at your page in the social networks themselves.

We, at JFrog, believe that information is power, and the more info you have about the libraries and their authors, the better decisions you’ll make about whether to trust them or not!