You are already getting that for Linux bundles by default. Even for Windows you don't need GPG if you just want to check the provided SHA-256 sums (you need to strip the authenticode signature first but we have a guide for that on our signature verification page). So, OS X users are remaining then. But it seems to me that does not account for the gap between downloads/sig downloads. Moreover, we are working on that trying to provide tools to strip the signature and getting the same SHA-256 sum as the unsigned .dmg file.

Still being able to check the SHA-256 hash alone is not really more secure than just downloading the bundle and running it.

Reply

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content