cake_wallet icon indicating copy to clipboard operation
cake_wallet copied to clipboard

Published 20 hours ago verified publisher icon cake-tech

Use GPG to sign releases so we don't have to trust GitHub / Microsoft

Open jonathancross opened this issue 1 year ago • 3 comments

Problem Description

I cannot verify that the release I download from Github was created by you.

Proposed Resolution

Use GPG to sign each release or provide a signed list of file hashes and / or a .sig file for each file released.

Bonus points:

Strategies for helping users establish the authenticity of a GPG key:

Ideally, the PGP key should be cross-signed with others in the OpenPGP Web of Trust Strong Set / or other prominent devs in the space (eg Monero Core devs or others in related tech like Tor, Tails, Qubes, Bitcoin, etc)

If the release signing key is also used on at least some commits, that would establish that "the person writing code" also "created this release". Would be much better if all devs at least signed each other's keys too.

jonathancross avatar Dec 03 '23 11:12 jonathancross

y3qi5d35igslmh4c.jpg

nahuhh avatar Dec 05 '23 22:12 nahuhh

Have you been able to verify if the pubkey is correct?

jonathancross avatar Jan 21 '24 17:01 jonathancross

@OmarHatem28

nahuhh avatar Jan 23 '24 12:01 nahuhh