I have a binary file and saved it on github release page. https://github.com/zono/bolt8/releases
To allow users to verify it, I saved sha256sum and signature(.asc).
However I have a concern that if my github account is hacked somehow, the sha256sum, the signature and my keybase.io account link (https://keybase.io/zono) could be replaced. As a result of that, users can’t notice the fake binary.
Are there any solutions about that? What kind of ways are used in OSS projects.
* sign and sha256sum (on mac) $ gpg -ba bolt8-node10-macos-x64 $ shasum -a 256 bolt8-node10-macos-x64 // save .asc and the checksum into github * verify (on linux) $ sha256sum bolt8-node10-macos-x64 $ curl https://keybase.io/zono/pgp_keys.asc | gpg --import $ gpg --verify bolt8-node10-macos-x64.asc bolt8-node10-macos-x64 gpg: Signature made Mon 17 Jun 2019 09:59:55 PM JST using RSA key ID 6530E807 gpg: Good signature from "xxxxx"