Application Security: consider PGP signed releases

Software is distributed on Linux as an AppImage, which has no native sandboxing and should be considered untrusted.

Best practice for releases are publishing a PGP public key on a keyserver and offering a signature file created with this keypair alongside each release. This allows user to verify with some confidence that the binary is genuine and was not forged or altered by an attacker.

Cheers

*typo “considered trusted

also: bump

Sorry for the delay in the response. We’re a lean team and try to prioritize the most important features right now (until we grow a bit more :slightly_smiling_face:)

Noted this down as a feature request on our end though.

1 Like