No release hashes or signatures

[kklash]

Releases should come with PGP signed SHA hashes, or should themselves be signed, using a consistent PGP key so users can verify the builds come from a trusted source.

Apologies if these are already available and I have missed them. I don't see them anywhere on the releases page or the README. If they are published, those are the first places users will look.

[immackay]

+1 for providing sha256 hashes with the release bundles

_{Sent with GitHawk}

[shiftkey]

I made a change in #133 to compute the SHA256 hashes of the files as part of each release as shown in release-1.6.5-linux6, but PGP keys and that sort of signing is further down my list of priorities. I plan to update the release process to include the checksums as part of the release notes in the future.

[shiftkey]

Bumping this thread to mention that we're trialling PackageCloud in #278 which now makes package repositories available for consumption. Still thinking about what additional signing I want to support as part of the release process - I keep coming back to Minisign as that seems to avoid a lot of the downsides of PGP.

[shiftkey]

Closing this out for now as I'm happy with PackageCloud handling this for deb and rpm builds

[ghost]

I would like also to see the source tarballs and AppImage PGP signed, I do believe Github repository has been hacked (with code modifications) a number of times historically so this is a supply chain risk to have released assets not cryptographically signed and putting all the trust on the site to be secure when in the past on numerous occassions it was not. It is not a matter of IF it will happen again, but of WHEN it will get compromised again.