4 Oct
2014
4 Oct
'14
2 p.m.
Use GPG to verify the integrity of the download and calculate the checksum locally for yourself. Users of your package have to trust you anyway, as you can basically do anything to your package, anyway.
Best regards, Karol Babioch
OK, you have a point, understood.
For reference, a PGP signature is a hash of the file encrypted with the public key, so that people that have the public key can decrypt the hash and verify that the file they have is the one that upstream published. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://keybase.io/johannes