You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How can I verify that the keystone3.bin binary was actually signed by you? Where can I download the public key for signature verification?
Currently, you only verify that the binary downloaded onto the device is the same as the one that was initially downloaded. However, this does not guarantee that the binary is legitimate, as it could have been tampered with (e.g., if the website was compromised). The use of a checksum (like SHA-256) ensures that the file hasn't been altered during the download process, but it doesn’t protect against malicious files being downloaded in the first place.
At this point, to verify the integrity of the binary, I would need to install it and compare it with my local build (created from the source code on GitHub). As a user, I would feel more confident if there was a way to independently verify that you signed the binary before I proceed with installation.
It would be very helpful if you could provide a signature verification process and make the corresponding public key available. This way, users can be certain that the binary was signed by you before installation.
The text was updated successfully, but these errors were encountered:
How can I verify that the
keystone3.bin
binary was actually signed by you? Where can I download the public key for signature verification?Currently, you only verify that the binary downloaded onto the device is the same as the one that was initially downloaded. However, this does not guarantee that the binary is legitimate, as it could have been tampered with (e.g., if the website was compromised). The use of a checksum (like SHA-256) ensures that the file hasn't been altered during the download process, but it doesn’t protect against malicious files being downloaded in the first place.
At this point, to verify the integrity of the binary, I would need to install it and compare it with my local build (created from the source code on GitHub). As a user, I would feel more confident if there was a way to independently verify that you signed the binary before I proceed with installation.
It would be very helpful if you could provide a signature verification process and make the corresponding public key available. This way, users can be certain that the binary was signed by you before installation.
The text was updated successfully, but these errors were encountered: