undefined | Better HN

0 pointskpcyrd7y ago0 comments

I've just edited my comment to make this clearer. Doing code signing with signify or pgp gives you a way the verify the binary you downloaded is actually the file the developer built on their laptop, even if the webserver is compromised. Linux ISOs are very commonly distributed that way. I agree that it's extremely uncommon for windows users to verify this though.

0 comments

prepend7y ago

Windows does not care about non-windows recognized signatures.

So this works fine for users who care about gpg verification, but fails the “Windows doesn’t prompt me about insecure stuff” test.

someguydave7y ago

presumably the user who understands how GPG signing works also doesn't care what windows thinks

j / k navigate · click thread line to collapse

0 pointskpcyrd7y ago0 comments

0 comments

prepend7y ago

Windows does not care about non-windows recognized signatures.

So this works fine for users who care about gpg verification, but fails the “Windows doesn’t prompt me about insecure stuff” test.

someguydave7y ago

presumably the user who understands how GPG signing works also doesn't care what windows thinks

j / k navigate · click thread line to collapse