nupplaphil
commented
3 years ago At least it's to check if the downloaded sources aren't corrupted during the transfer. If we do want a more sophisticated check, we would have to add a GPG public key to a keystore (like keystore.ubuntu.com ) and check our key at files.friendi.ca if the certification path is valid.
See nextcloud as an example: https://github.com/nextcloud/docker/blob/b67f507e77d8b4141ceedd163da64fe554ca611d/Dockerfile-alpine.template#L112-L121
Why are we checking the SHA256 checksum from the same source
files.friendi.caas the release archive? If the release archive was tampered with, wouldn't it be trivial to also update the accompanying checksum file in the same folder?