GitHub Community
Where is the Github asc file for their pgp signing key? #130439
Unanswered
Zerophase
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Question
Body
The releases I'm downloading from Github are signed with key B5690EEEBB952194. That's Github's signing key. However, I cannot find the asc file for confirming the executable I have downloaded is actually from Github's servers, and not some man in the middle attacking my infrastructure.
Obviously, it would be preferable for the developer to sign their own releases with their own key. However, if I can find the Github asc file at least I can confirm whether the file is signed by Github's key or not.
Does anyone know where that file is so I can confirm the release contents are signed?
Beta Was this translation helpful? Give feedback.
All reactions