We have a "how to install flox" page. It doesn't cover verifying the download at all. I realize not everybody does this, but we should have a section that verifies the content and applies nonrepediation to it. This would mean.
We have sha sums for all downloads. ⚠️ This can be a single file when them all in it.
We have the GPG key used to sign our artifacts features in the verification section.
We have instruction on how to verify our artifacts via GPG.
This is related to flox/flox#1311.
Steps to reproduce
Look at the verify section on the installation.
Facepalm and say WTF. There is no verification of the download at all.
What is the current behavior?
You hope things haven't been MITMed and came from the right source.
What is the expected behavior?
You can verify where it came from and that it hasn't been tampered with.
Background
We have a "how to install flox" page. It doesn't cover verifying the download at all. I realize not everybody does this, but we should have a section that verifies the content and applies nonrepediation to it. This would mean.
This is related to flox/flox#1311.
Steps to reproduce
What is the current behavior?
You hope things haven't been MITMed and came from the right source.
What is the expected behavior?
You can verify where it came from and that it hasn't been tampered with.