all is well and good. At least, on Windows. But what about linux?
As a general rule, Windows signs executables more than it signs packages; Linux signs packages more than it signs executables. The best practice seems to be to use GnuPG to attach a digital signature to an RPM or DEB (or Snap or Flatpak or what-have-you), rather than to sign the executables directly.
doing it. So, much as I detest Windows, this seems to be one area in which Windows is slightly ahead.
"Ahead" might be putting it a little strongly. The two operating systems are different and have different approaches to supply chain security. :)
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
