Is there a tool included in a standard Windows installation that I could have people use to verify a detached signature for an arbitrary file?
Providing GPG signatures and including it in the install instructions is doing more harm than good when it's not provided by the OS.
Conversation
It's a first-party download via HTTPS and encouraging people to install extra software without a more meaningful way to verify that is only doing harm. GPG is also proving to be the bottleneck for the installation process and I'll probably be switching to signify for Linux users.
1
2
Even for a simple case like this, GPG is opaque and difficult. There's too much that can and does go wrong. I think people would be better off with a tiny public key to save and confirm out-of-band with it explicitly referenced in the verify command. No complex keyring nonsense.
1
1
1
I can sign the signify key with my GPG key. I could keep providing GPG signatures, but I'm very tired of this terrible software. I don't want to deal with it myself. I wish there was a better way to sign Git tags. Maybe I should just generate manifests with hashes and sign those.
Replying to
Signed tags are still relying on the security of Git's chained sha1 hashes anyway. It's mitigated a bit by the fact that objects have a size in their header, but it's still pretty terrible. Git also exposes a lot of attack surface. A signed manifest would be simpler and safer.
1