Missing signatures in source and binary download of OPAM itself

[vog]

While I applaud the efforts to distribute signed packages through OPAM (https://opam.ocaml.org/blog/Signing-the-opam-repository/), signatures for the source and binary tarballs of OPAM itself are still missing.

This is a big hole in the system: How much worth is OPAM checking all package signatures if I can't trust to have an unmodified version of the OPAM tool itself?

One might leverage on e.g. Debian package signatures, but the Debian maintainers have the same problem as myself: How do they verify the next OPAM version? Also, what if I want to use the latest OPAM version during the time it is not yet available on Debian? The same holds for Fedora and all other distros.

So I propose to provide a signed SHA512 checksums file for every OPAM release, that contain the checksums of all source and binary tarballs, using one or two GPG keys that will remain stable over a long time period.

[dra27]

This was fixed for opam 2.0.1 - we sign the release binaries and the full sources tarball. We can't control the source artefacts produced by GitHub (but it's always possible to use the full sources tarball instead).

[vog]

Ok, so back in 2018, this was already fixed 21 days after I created this ticket. Nice. 👍