Signed releases

[Mikaela]

Do you have plans to sign the releases on GitHub? I was only able to find ipfs/kubo#957 which seemed to be stuck on some Go issue/release, but there are already packages provided by IPFS Desktop and I am wondering how can I verify their authenticity?

I understand that the appimage/electron has something to verify authenticity of an update, but can that be used to verify the authenticity of the initial download?

[lidel]

Great question!

iirc we already do vendor-specific signing:

• Windows .exe are signed
• macOS .dmg is signed too, what remains to be done is "notarization", which is being tracked in 'IPFS Desktop' can't be opened because Apple cannot check it for malicious software #1211

As for vendor-agnostic signing, see already existing issues at #789 and #1189 (we want to switch from github releases to self-hosted autoupdate solution + leverage content-addressing).

[hardcore-sushi]

For Linux releases, it would be great to sign binaries with a PGP key. You could still use github or amazon but authenticity will be guaranteed. The PGP key could be retrieved from ipfs.io, keyservers, or directly on IPFS (available via a gateway).