Cryptographic Signing of Releases (PGP Signatrure Verification)

[maltfield]

Feature Request

Description

Currently it is not possible to verify the authenticity or cryptographic integrity of the desktop app downloads from mega.io or github.com because the releases are not cryptographically signed.

This makes it hard for Mega users to safely obtain the Mega software, and it introduces them to supply chain attacks.

Steps to Reproduce

1. Go to the https://mega.io/desktop or https://mega.nz/cmd page
2. ???

Expected Behavior

A few things are expected:

1. I should be able to download the Mega Team's Software Release PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions Affected

Everything, all versions.

Use case

Installing the software securely

Suggested implementation

Cryptographic signing of all software releases with PGP

[maltfield]

Fixing this would also be an important prerequisite for package maintainers to securely obtain the authentic MEGAsync and MEGAcmd releases before adding them to the official repos.

For example, to satisfy this Debian RFP:

• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939318

Doing so would make this software much more accessible to thousands (millions?) of Debian, Ubuntu, Mint, etc users