PGP sign our downloads?
Posted: Fri Jun 29, 2018 12:07 pm
Hi!
Due to recent events, I wonder whether we should sign our downloads with PGP. As it is now, we're somewhat safe against manipulations of the Github downloads, since the SHA-256 hashes are hosted on cmsimple-xh.org, so an attacker would need to get access to our website also. Nonetheless, offering additional detached PGP signatures would add another level of safety, since these are basically hashes which are bound to a certain identity. See http://www.cryptnet.net/fdp/crypto/strong_distro.html for further details.
Besides some additional work for the release managers, the only downside I can see would be that probably few (if any) of our users would verify the signs.
Due to recent events, I wonder whether we should sign our downloads with PGP. As it is now, we're somewhat safe against manipulations of the Github downloads, since the SHA-256 hashes are hosted on cmsimple-xh.org, so an attacker would need to get access to our website also. Nonetheless, offering additional detached PGP signatures would add another level of safety, since these are basically hashes which are bound to a certain identity. See http://www.cryptnet.net/fdp/crypto/strong_distro.html for further details.
Besides some additional work for the release managers, the only downside I can see would be that probably few (if any) of our users would verify the signs.