Using gpg to add digital signature to a linux executable
Robert J. Hansen
rjh at sixdemonbag.org
Wed Oct 27 00:17:46 CEST 2021
> all is well and good. At least, on Windows. But what about linux?
As a general rule, Windows signs executables more than it signs
packages; Linux signs packages more than it signs executables. The best
practice seems to be to use GnuPG to attach a digital signature to an
RPM or DEB (or Snap or Flatpak or what-have-you), rather than to sign
the executables directly.
> doing it. So, much as I detest Windows, this seems to be one area in
> which Windows is slightly ahead.
"Ahead" might be putting it a little strongly. The two operating
systems are different and have different approaches to supply chain
security. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211026/debf49b9/attachment-0001.sig>
More information about the Gnupg-users
mailing list