pencil2d
Improve download verification options
There should be at least one way for our users to verify the integrity and authenticity of the downloaded application. Currently the macOS binary is signed and notarized, and there are some checks in the package manager installation methods. I believe the stable Windows releases are also code signed manually as well. That leaves the Linux AppImages and the Windows nightly builds as having no way of verifying the download. The other installation methods may still benefit from additional verification methods as they all have their own set of security assumptions. For example, the macOS code signing trusts Apple and GitHub, assumes that the certificates have never been compromised, and relies on the user to detect signing by the wrong developer or organization.
In a previous discussion (#1282), some ideas that have been brought up are checksums and PGP signatures. Since then, GitHub has also added artifact attestation which I have not worked with, but look like it could be relevant to this discussion. Reproducible builds are another way to improve trust in not only the distribution, but the building of the binaries. Other suggestions are welcome, this issue is intended to be an place to discuss ideas right now.
The security-focused Tails distro offers a fairly detailed analysis of the download verification methods they offer, which can be found here: https://tails.net/contribute/design/download_verification/. They settled on OpenPGP signatures and a client-side JavaScript validation which is much more user-friendly.
