Rutherther <[email protected]> writes: > Installation script: https://guix.gnu.org/guix-install.sh ... > All of these files have are signed at <link>.sig. They are all signed by > Rutherther, you can get his public key from [1], then import it using > “gpg --import”. ... > • SHA256 hashes
The guix-install.sh script does not seem to have a *.sig file, nor is it included in the SHA256 hash list. Since this script is often ran by root, I think it should have some security protection beyond WebPKI https URL assurance. Maybe already tracked in some bug report? Still, would be great to see improved for 1.5.0. /Simon
signature.asc
Description: PGP signature
