A password manager should put security first. I think it is important for the binaries to be signed or at least have a checksum (sha256 or similar) to provide some confidence that the file has not been tampered with.
which platform & distribution are you referring to? android, ios and macos are already signed, afaik the ppa for ubuntu should also be signed correctly.
So I guess windows and linux tar’s are still missing signatures. Windows would be nice to just sign the exe file, but right now I don’t want to invest the money into a developer certificate 
and I’m not sure if a self signed certificate improves things too much…
I guess I could just sign the download archives themselves. But distributing the public key from the same website you are getting the binary from is probably not improving security significantly… 
Do you have experience with implementing signed archives? Basically everything is built with github workflows: https://github.com/authpass/authpass/tree/master/.github/workflows contributions are very welcome 
I mainly use Linux and Windows. As you say the iOS, Android and Mac versions are signed. I think self signing adds a useful level of security. I don’t know to implement this, but the way I have seen used on other projects is that GPG is used to produce a signing key. Users download the public key and the signature file. GPG is then used to verify that the signature matches the file and is valid.
1 Like