starc icon indicating copy to clipboard operation
starc copied to clipboard
verified publisher icon story-apps

Signed Downloads

Open 3knight opened this issue 1 year ago • 4 comments

Would it be possible to sign download files so end users can verify integrity before installing? Possibly with something like GPG or OpenSSH?

Thanks

3knight avatar Mar 09 '24 22:03 3knight

Hello, I don't know a lot about this process and requirements. Maybe you can provide some information about it, or help us implement it (you can find Linux build script here)?

dimkanovikov avatar Mar 11 '24 02:03 dimkanovikov

Hello! https://gnupg.org is a good choice.

  1. Create a pair of GPG keys.
  2. For the new release, use your private key to create a file signature. The command might look like this: gpg --detach-sign --armor your_file. This will create a signature file with the extension .asc.
  3. Provide your public key to users so they can verify the signature.
  4. Users can verify the signature using your public key and the command: gpg --verify your_file.asc your_file If the signature is correct and the key is trusted, GPG will confirm that the file has not been altered.

MlDenis avatar Mar 19 '24 11:03 MlDenis