Request - Signing O3X releases with GPG

Developer discussions.

Request - Signing O3X releases with GPG

Postby mohak » Sun Oct 29, 2017 12:03 pm

Hi guys,

There is a recent trend of attacks on servers where an application's original installer is replaced with a malware infested one. Handbrake, CCleaner, Elmedia Player are a few recent examples. Some of these infected-binaries have even succeeded at bypassing Apple's GateKeeper.

With that in mind, I wonder if the devs have considered using GPG to sign there releases. It could help mitigate this issue; at least for the users who verify the signatures after downloading. Additionally, the users who detect invalid signatures in a release could immediately notify the developers, aiding in a quick recovery from a hypothetical attack.

Regards,
Mohak

P.S.: On a side note, I am extremely thankful to all the developers for O3X! You have made my life a hell of a lot easier by porting ZFS to macOS. I can finally use a modern fs and share my drives between my Mac and Linux machines. :)
mohak
 
Posts: 8
Joined: Sat Oct 28, 2017 10:44 am

Return to OpenZFS on OS X Development

Who is online

Users browsing this forum: No registered users and 1 guest