Verification of Binary Signature Missing #1472
Comments
|
{{ message }}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How can I verify that the
keystone3.binbinary was actually signed by you? Where can I download the public key for signature verification?Currently, you only verify that the binary downloaded onto the device is the same as the one that was initially downloaded. However, this does not guarantee that the binary is legitimate, as it could have been tampered with (e.g., if the website was compromised). The use of a checksum (like SHA-256) ensures that the file hasn't been altered during the download process, but it doesn’t protect against malicious files being downloaded in the first place.
At this point, to verify the integrity of the binary, I would need to install it and compare it with my local build (created from the source code on GitHub). As a user, I would feel more confident if there was a way to independently verify that you signed the binary before I proceed with installation.
It would be very helpful if you could provide a signature verification process and make the corresponding public key available. This way, users can be certain that the binary was signed by you before installation.
The text was updated successfully, but these errors were encountered: