If you were to publish a GPG key that is used for code signing and signed that latest version of the hashes file and each binary download file for each release with a detached gnupg signature file it would go a long way to ensure that not only are the bits correct (which the hash already tells us) but that the integrity of the hashes list is unimpeachable as well. This could be very easily scripted on your end when new releases are put out.
Signing the binary for each release tarball individually would be awesome as well.
Here are a couple of example projects that do this:
ghost
commented
8 years ago
If you were to publish a GPG key that is used for code signing and signed that latest version of the hashes file and each binary download file for each release with a detached gnupg signature file it would go a long way to ensure that not only are the bits correct (which the hash already tells us) but that the integrity of the hashes list is unimpeachable as well. This could be very easily scripted on your end when new releases are put out.
Signing the binary for each release tarball individually would be awesome as well.
Here are a couple of example projects that do this:
https://github.com/tianon/gosu/releases https://github.com/just-containers/s6-overlay/releases
An example usage (in a Dockerfile) would be something like this: