all is well and good. At least, on Windows. But what about linux?

As a general rule, Windows signs executables more than it signs packages; Linux signs packages more than it signs executables. The best practice seems to be to use GnuPG to attach a digital signature to an RPM or DEB (or Snap or Flatpak or what-have-you), rather than to sign the executables directly.

doing it. So, much as I detest Windows, this seems to be one area in which Windows is slightly ahead.

"Ahead" might be putting it a little strongly. The two operating systems are different and have different approaches to supply chain security. :)


Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to