Page 1 of 1

Request - Signing O3X releases with GPG

PostPosted: Sun Oct 29, 2017 12:03 pm
by mohak
Hi guys,

There is a recent trend of attacks on servers where an application's original installer is replaced with a malware infested one. Handbrake, CCleaner, Elmedia Player are a few recent examples. Some of these infected-binaries have even succeeded at bypassing Apple's GateKeeper.

With that in mind, I wonder if the devs have considered using GPG to sign there releases. It could help mitigate this issue; at least for the users who verify the signatures after downloading. Additionally, the users who detect invalid signatures in a release could immediately notify the developers, aiding in a quick recovery from a hypothetical attack.

Regards,
Mohak

P.S.: On a side note, I am extremely thankful to all the developers for O3X! You have made my life a hell of a lot easier by porting ZFS to macOS. I can finally use a modern fs and share my drives between my Mac and Linux machines. :)