emerkle826
commented
3 years ago Closing this in favor of #235
Closed emerkle826 closed 3 years ago
emerkle826
commented
3 years ago Closing this in favor of #235
tianon
commented
3 years ago If we download the KEYS file over the internet from the same (potentially hijacked) source where we download the tarballs we are verifying, the verification doesn't add any additional safety, which is why we embed the full cryptographic fingerprints directly in the Dockerfile, allowing the build to verify the provenance of the released artifacts.
This should address #236