Closed emerkle826 closed 3 years ago
Closing this in favor of #235
If we download the KEYS
file over the internet from the same (potentially hijacked) source where we download the tarballs we are verifying, the verification doesn't add any additional safety, which is why we embed the full cryptographic fingerprints directly in the Dockerfile
, allowing the build to verify the provenance of the released artifacts.
This should address #236