Signing stable releases

Hi cool people,

I tought that signing stable releases would be a pretty neat improvement in terms of security.
Plus it has a near zero cost of implementation. Also, it won’t affect users who don’t care. So it’s a win for everyone. :smiley:

As for the signing mechanism I woud suggest using one of those, in the following order:

  1. Signify.
  2. Reop.
  3. OpenPGP.

(OpenPGP is better that nothing but 1 & 2 literally destroy it.)

Thanks for reading.

I forgot to link some info about the first to programs. (I’m assuming that everyone already knows OpenPGP.)

So here are some useful links about them:

Signify


A smoll utility designed only for signing stuff. Ages less complex than OpenPGP.

Reop


Similar to OpenPGP, but better. It’s not a hot glued mess.

OpenPGP.


Don’t. Some articles about it are linked in the blogpost about reop.

yeah, given that we update from a near-arbitrary URL, a verification wouldn’t be the worst idea in the world

i’ll look into it~

1 Like

Thanks for considering this.
:D

Implemented as of Akkoma stable 2022.09 - modified in translation

thanks for letting me know about this~

1 Like