Using gpg to add digital signature to a linux executable

Robert J. Hansen rjh at
Wed Oct 27 00:17:46 CEST 2021

> all is well and good. At least, on Windows. But what about linux?

As a general rule, Windows signs executables more than it signs 
packages; Linux signs packages more than it signs executables.  The best 
practice seems to be to use GnuPG to attach a digital signature to an 
RPM or DEB (or Snap or Flatpak or what-have-you), rather than to sign 
the executables directly.

> doing it. So, much as I detest Windows, this seems to be one area in 
> which Windows is slightly ahead.

"Ahead" might be putting it a little strongly.  The two operating 
systems are different and have different approaches to supply chain 
security.  :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list