Download verification


#1

Do you currently offer md5/sha hashes or gpg signatures for official release downloads? If not, is that something under consideration?

I’m sure you’re very busy working hard to improve this stellar editor, but I would love to be able to verify that the version I download hasn’t been tampered with.

Thanks!


#2

I like how syncthing includes signed hashes with each release: http://syncthing.net/security.html


#3

If you’re concerned about tampering, you can always just download each release directly from https://github.com/atom/atom/releases. It’s a secure HTTPS connection that you can verify the server belongs to GitHub.


#4

Yep. HTTP is probably good enough.

Still, it would be even better if the releases were signed. That way, if the github user accounts were ever compromised, it would be very difficult for someone to upload malicious binaries alongside the release.

I hope GPG signing will be considered at some point in the future.