Please cryptographically sign your software releases (eg with PGP)

[maltfield]

Feature Request

Description

Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from sourceforge or github.com because the releases are not cryptographically signed.

This makes it hard for Dolibarr users to safely obtain the Dolibarr software, and it introduces them (and potentially their customer's data) to watering hole attacks.

Steps to Reproduce

1. Go to the https://www.dolibarr.org/downloads.php page
2. ???

Expected Behavior

A few things are expected:

1. I should be able to download the Dolibarr PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions Affected

Everything, all versions. Plugins too.

Use case

Installing the software securely

Suggested implementation

Cryptographic signing of all software releases with PGP

Suggested steps

A few things are expected:

1. I should be able to download the Dolibarr PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

[maltfield]

This is still an issue.

[maltfield]

This is still an issue.