Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PGP-signed archives #39

Open
JonathanWilbur opened this issue May 11, 2024 · 1 comment
Open

PGP-signed archives #39

JonathanWilbur opened this issue May 11, 2024 · 1 comment

Comments

@JonathanWilbur
Copy link

For something security-sensitive like this, it would be nice to have PGP-signed compressed archives. Even if you just published a PGP and manually uploaded a signed archive one time, that would be great. I would be willing to do this myself, but who am I and how do you know you can trust me and my key?
@oriansj
Copy link
Owner

oriansj commented Aug 20, 2024

Well, the only truly security sensitive bits are the bootstrap seeds (which ideally you would make your own). Everything else was designed to be audited by independent parties. And compressed archives have the problem of having to trust your decompression tools to not tamper with the contents. (which is why mescc-tools-extras bootstraps such tools)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oriansj @JonathanWilbur