Posted 31 March 2012 - 12:07 AM
Posted 31 March 2012 - 06:26 AM
Posted 31 March 2012 - 10:58 AM
The signing key should not be located on the server. This prevents the creation of a forged signature even if the server is compromised. Keys also require a passphrase.
If the server is hacked to place malicious installer/exes the hackers will simply replace the codes as well. I see no added value.
The use of a signature would prevent DNS spoofing and other MITM attacks that do not require the server to be hacked, and would allow for downloads from mirrors to be authenticated.
Posted 31 July 2012 - 10:23 PM
Posted 01 August 2012 - 03:16 AM
+1 This would ensure that the files downloaded are the genuine article.
I would like to recommend adding GPG signatures to the download page.
I would encourage everyone to protect their files in this way. That way if the server gets hacked again, your files can be verified.