Skip to main content

Replied to a post on github.com :

So long as the fingerprint of the signing key is published, and distributed via *HTTPS*, the fact that the download isn't is not absolutely terrible. Verification of the binary via the signing key should prevent tampering, however most folk won't do this, so you should still distribute via HTTPS.

(Oh, and it goes without saying you have decent OpSec procedures around your signing key... don't for example keep it on an internet connected machine, and certainly not your production server. You should also rotate keys fairly regularly)