i wonder how many people who rant about curl|sh also have a windows machine where they download an installer exe and run it with elevated privileges
6
15
146
Conversation
Replying to
Few people ever download signatures when they're provided anyway, let alone verifying in a meaningful way rather than simply via a public key obtained from the same page / site. Using signify allowed me to add easier out-of-band verification for grapheneos.org/install#obtain at least.
2
1
7
I can see from the download statistics that few people are bothering with the signatures. Doesn't matter much, since if an attacker actually compromised the site people would happily follow instructions from them compromising their computer. In practice, HTTPS is what secures it.
I do also have the post-installation verification via attestation, but it's not a strong verification for the initial pairing:
grapheneos.org/install#verify
Still most attackers aren't going to have a valid attestation batch certificate to bypass that, so it has value before pairing.