New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No release hashes or signatures #128
Comments
+1 for providing sha256 hashes with the release bundles Sent with GitHawk |
I made a change in #133 to compute the SHA256 hashes of the files as part of each release as shown in |
Bumping this thread to mention that we're trialling PackageCloud in #278 which now makes package repositories available for consumption. Still thinking about what additional signing I want to support as part of the release process - I keep coming back to Minisign as that seems to avoid a lot of the downsides of PGP. |
Closing this out for now as I'm happy with PackageCloud handling this for deb and rpm builds |
I would like also to see the source tarballs and AppImage PGP signed, I do believe Github repository has been hacked (with code modifications) a number of times historically so this is a supply chain risk to have released assets not cryptographically signed and putting all the trust on the site to be secure when in the past on numerous occassions it was not. It is not a matter of IF it will happen again, but of WHEN it will get compromised again. |
Releases should come with PGP signed SHA hashes, or should themselves be signed, using a consistent PGP key so users can verify the builds come from a trusted source.
Apologies if these are already available and I have missed them. I don't see them anywhere on the releases page or the README. If they are published, those are the first places users will look.
The text was updated successfully, but these errors were encountered: