Sign binaries or at least add checksum

A password manager should put security first. I think it is important for the binaries to be signed or at least have a checksum (sha256 or similar) to provide some confidence that the file has not been tampered with.

which platform & distribution are you referring to? android, ios and macos are already signed, afaik the ppa for ubuntu should also be signed correctly.

So I guess windows and linux tar’s are still missing signatures. Windows would be nice to just sign the exe file, but right now I don’t want to invest the money into a developer certificate :sweat_smile:and I’m not sure if a self signed certificate improves things too much…
I guess I could just sign the download archives themselves. But distributing the public key from the same website you are getting the binary from is probably not improving security significantly… :thinking:

Do you have experience with implementing signed archives? Basically everything is built with github workflows: contributions are very welcome :slight_smile:

I mainly use Linux and Windows. As you say the iOS, Android and Mac versions are signed. I think self signing adds a useful level of security. I don’t know to implement this, but the way I have seen used on other projects is that GPG is used to produce a signing key. Users download the public key and the signature file. GPG is then used to verify that the signature matches the file and is valid.