stage0 icon indicating copy to clipboard operation
stage0 copied to clipboard
verified publisher icon oriansj

PGP-signed archives

Open JonathanWilbur opened this issue 1 year ago • 1 comments

For something security-sensitive like this, it would be nice to have PGP-signed compressed archives. Even if you just published a PGP and manually uploaded a signed archive one time, that would be great. I would be willing to do this myself, but who am I and how do you know you can trust me and my key?

JonathanWilbur avatar May 11 '24 20:05 JonathanWilbur

Well, the only truly security sensitive bits are the bootstrap seeds (which ideally you would make your own). Everything else was designed to be audited by independent parties. And compressed archives have the problem of having to trust your decompression tools to not tamper with the contents. (which is why mescc-tools-extras bootstraps such tools)

oriansj avatar Aug 20 '24 01:08 oriansj