You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Would it be possible to sign releases with gpg so users can verify downloads? If not, how about releasing the corresponding checksums, preferably across multiple platforms (github, website, X)?
The text was updated successfully, but these errors were encountered:
@TheJackiMonster You are totally right but I think there is a misunderstanding about what I was asking. I am wondering about signing the releases with GPG. This way, end users could use GPG to verify the authenticity of the download. An example I could use is something like KeepassXC. You can check it out here if you'd like, https://keepassxc.org/verifying-signatures/.
The thing about "github, website, X)" was in regards to checksum values. It would allow for different form of verification if signing releases isn't an option. Posting it across multiple platforms would prevent a single point of failure, and make it harder to exploit.
I'm just asking because I think it would go along way in helping make sure people are downloading authentic, genuine software. GPG is free software and available on all platforms, making it convenient.
Thanks for the consideration and I hope this is a better explanation, I can see how my original post could imply something else, my bad.
Would it be possible to sign releases with gpg so users can verify downloads? If not, how about releasing the corresponding checksums, preferably across multiple platforms (github, website, X)?
The text was updated successfully, but these errors were encountered: