[Privoxy-devel] GPG signatures
Ian Silvester
iansilvester at fastmail.fm
Mon Jun 15 20:44:49 CEST 2026
Hi,
I have been diligently uploading .asc GPG signatures with each Mac release, signing the uploaded installer binary. The thing is though, how do end users know which GPG key they should expect our releases to be signed by? How does anyone know that Ian Silvester is formally the macOS packager for Privoxy? My point being, if somebody really wanted to corrupt our binaries, they could simply replace the installer and also the .asc file with their own, and nobody would be any the wiser, no? Shouldn't we have a location at privoxy.org that states the correct public keys against which each release should be compared?
What do you think?
Ian
More information about the Privoxy-devel
mailing list