GPG signature verification eliminates all of these bad actors. I know it is easy to say, but frankly its also very easy to do, especially when you are providing ALL your credentials on every website you use. Could security be more important?
Assuming I understand your question correctly you are asking what that is? Many code writers protect their uploaded files with a GPG signature that provides for two security affirmations. 1. In the old days (unfortunately some still use sha checksums) we used a checksum to verify the size of the file downloaded was exactly the same size as the one the donor was offering on a website. This was to inspect for a "bad" download in case something went wrong during the acquisition of the file. If a person verified the downloaded file had the same checksum then they knew the files match. BUT - that process doesn't protect against a bad file being uploaded as the site from which you grab the file specifies the checksum to match their file. MITM's were notorious on this issue. 2. Going well beyond 1 mentioned above the GPG signature can ONLY be made by the holder of the private key and that private key is what is used to sign the file before it is uploaded to the server being offered for download. Now, when a person downloads the file they use GPG signature verification to KNOW the exact file was signed by the "claimed" author of the file. There is NO known way to beat this process. No person can sign a file without that private key and ONLY they have access to it. Common examples: The TOR dev team, Electrum for Bitcoin, countless others. All these post their public keys on keyrings and the fingerprint is established in public. If you download the public key and verify the fingerprint then as you download files from these folks you are able to verify the pre-signed signature on the files. If it matches ONLY the owner of the private side of the key set can sign the file. Hope this makes sense. Its positive, sure fire all the way!!
Beware of "Unofficial" Sites Pushing Notepad2 Adware Bundles November 7, 2018 https://www.bleepingcomputer.com/ne...ficial-sites-pushing-notepad2-adware-bundles/
