Signing repository for future binary release #182
vincenzopalazzo
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Currently, we must trust with git that we are downloading a plugin that a specific developer develops, and this is fine because we are building it from a source.
But what happens when we implement the release binary? We should have a way to
identify and verify the source. This can be done with GPG ofc, but we can use the lightning
sign algorithm to do that, and in this case, the developer is just a public key.
In this way, we can verify that we are tipping the right developer too :)
Beta Was this translation helpful? Give feedback.
All reactions