> The proper protocol would be to just sign the binary by your private > RSA key and encrypt it with a symmetric key, that you directly pre- > distribute to your recipients via the same channel that you now use to > distribute your public RSA key.
I agree with Tomáš, just would like to emphasize that the order of operation matters: It should be encrypt-then-sign, not vice versa. This ensures that the recipient can check the integrity of the binary before attempting to decrypt it. Matthias
