I was wondering if the person building the binaries could put those (md5 and sha1 sums) both on a page that is gpg signed? Then as I get to know the person building the binaries and if the key changes I can be suspicious of someone putting up another binary.
Am 03.04.2017 um 22:10 schrieb Jeff Sadowski:
I was wondering if the person building the binaries could put those (md5 and sha1 sums) both on a page that is gpg signed? Then as I get to know the person building the binaries and if the key changes I can be suspicious of someone putting up another binary.
I'm not quite sure which binaries you are referring to.
The ones for macOS and Windows have *.asc files in the directory where the *.dmg / *.exe files are available for download.
Linux packages are signed in a way that the package management system automatically verifies the GPG signature.
And the pre-built X2Go-TCE-live images have *.asc-files as well.
So which files are lacking a GPG signature, in your opinion?
Kind Regards, Stefan Baur X2Go Project/Community Manager
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243