https://issues.dlang.org/show_bug.cgi?id=16065
--- Comment #5 from James King <1...@lwshost.com> --- PGP signatures work fine for *nix systems, but this requires either compiling PGP from source for windows, or finding some other distributor of PGP binaries for windows before you can even run the check. To add to that, PGP signatures must also be delivered over HTTPS, and even then, again, the only barrier to supplying a bad binary is to gain access to the web server. On the other hand, with signed code, an attacker has to compromise both the web server (delivery mechanism) and go through the process of obtaining a code signing key that looks legitimate enough from a CA that issues them. Not the necessarily the hardest problem, but it's a two step process. I will agree that it is disappointing that the pricing is as steep as it is ($84 to $800 depending on the vendor, per year) but I would argue that the lower end is a manageable price if it helps prevent bad binaries from being distributed. The ones I found on the lower end were Comodo (directly and indirectly), GoDaddy, GlobalSign, and DigiCert. --
