Download Verification

[3knight]

Would it be possible to sign releases with gpg so users can verify downloads? If not, how about releasing the corresponding checksums, preferably across multiple platforms (github, website, X)?

[TheJackiMonster]

The download links on the website already point to Github. So there's already only one place to download the releases.

[3knight]

@TheJackiMonster You are totally right but I think there is a misunderstanding about what I was asking. I am wondering about signing the releases with GPG. This way, end users could use GPG to verify the authenticity of the download. An example I could use is something like KeepassXC. You can check it out here if you'd like, https://keepassxc.org/verifying-signatures/.

The thing about "github, website, X)" was in regards to checksum values. It would allow for different form of verification if signing releases isn't an option. Posting it across multiple platforms would prevent a single point of failure, and make it harder to exploit.

I'm just asking because I think it would go along way in helping make sure people are downloading authentic, genuine software. GPG is free software and available on all platforms, making it convenient.

Thanks for the consideration and I hope this is a better explanation, I can see how my original post could imply something else, my bad.