The current git tags used for releases are lightweight and not annotated. This is not suggested for release tags. Let's do the following:
Switch to annotated git tags
Start GPG-signing releases
The latter step is crucial if the PKI hierarchy for HTTPS is not expected to be trusted. The bitmessage threat model involves bad actors who can control the PKI hierarchy, and thus should not be relied upon for. While most users can rely on HTTPS for their downloads, users who require privacy against powerful actors will want to verify the GPG signatures on the binaries, so GPG-signing tags is important.
The current git tags used for releases are lightweight and not annotated. This is not suggested for release tags. Let's do the following:
The latter step is crucial if the PKI hierarchy for HTTPS is not expected to be trusted. The bitmessage threat model involves bad actors who can control the PKI hierarchy, and thus should not be relied upon for. While most users can rely on HTTPS for their downloads, users who require privacy against powerful actors will want to verify the GPG signatures on the binaries, so GPG-signing tags is important.