Please add sha256hash’es and a gpg signature for the downloads for desktop. So that the users can verify the integrity of the binaries they use.
1 Like
For Android, we published the SHA256 fingerprint of the used signing signature at Verify Downloads - Delta Chat (reachable on get.delta.chat)
That way, we can avoid updating the page on every releases and dealing with long lists of releases.
Maybe sth. similar is doable and sufficient for desktop as well? Might be much more complicated because of the different distributions, however.
In the following forum thread from 2021 Jikstra says it should probably be easy to get the release script to upload a checksum.txt with checksums of all the uploaded files:
And then to simply sign the checksum.txt and upload the signature shouldn’t be hard I would think (but there could be difficulties involved which I don’t understand).
Compared to all the work writing and testing the Delta Chat code, I imagine that signing a checksum.txt file would be pretty quick and straight forward, and it would give many users more confidence that they downloaded the right code.
I’m currently exploring providing repositories (like PPA) for our Linux releases, they would then provide checksums too.
Will come back to this thread as soon as there is something to share 
1 Like