You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
No. Posting the checksums right next to the release file defeats the purpose. If someone were to upload a malicious file, what's stopping them from releasing a matching checksum file. Signing the file would require someone to have access to the signers private key + password to signing key. Only way using checksums could be reliable is if the checksum was distributed across multiple platforms, presumably each being secure, and cross checking all of them to see if they match. This is incredibly impractical, as it would have to be done with each release. Checksums confirm that the files match, not authorship.
Currently, Mac releases are not signed through Apple, so you would blindly be trusting the file. Signing it would at least allow Mac users (and other OS) the ability to verify and have confidence in bypassing Gatekeeper. Signing through Apple would be preferable for Mac users but it's not as practical as using something like GPG. Another option, and probably a better one would be to use OpenSSH and it is available, on all platforms (comes preinstalled with Mac/Windows) and in Linux/BSD repos. It's more secure then GPG AFAIK.
Would it be possible to sign releases with, say, gpg so users can verify downloads before installing? Thanks
The text was updated successfully, but these errors were encountered: