No gpg detached signature files yet?


There are suggestions here, but I'm also "discussing" it, so don't know which forum to use. :)

Been over a yr since I asked about detached signature files (not checksum sig files).
Apparently, I download a gpg sig file for /bleachbit_2.0_all_ubuntu1604.deb.sig & it verified the ubuntu 16.04 (Mint 18.x) file. Memory fails me, but I assume gpg sig files were available for a while.

Now v2.2 is out - I don't find detached signature files mentioned anywhere on download page (except checksums).

Are you near to updating your signing key so you could sign releases?
Possibly your site isn't one of the "highest value targets" they could choose, but some hackers will take what they can get.

To further increase security, some devs put pgp signature files on a different server than where the "main" file downloads are stored. Requiring 2 different servers to be breached before tampered files AND detached sig files generated for the tampered files could be uploaded by hackers.

When many Linux users must get updates outside their distro's repo, not having gpg sig files is a bit like unprotected sex with strangers. May turn out OK but not the smartest decision.

At the time of release I signed the checksums (bleachbit-2.2-sha256sum.txt.asc) which has equivalent security to detached signatures, while not requiring as many files.

I do not see a security advantage, but I released detached signatures for BleachBit 2.2

The signatures are already on a different server ( than the main downloads ( domain).


Andrew, lead developer