This repository contains and uses a GPG public key that serves as the basis for verifying the integrity and authenticity of the generated and distributed software.
The GPG key in this repository is used to:
- Guarantee the integrity of distributed files
- Allow verification of the authenticity of builds
- Ensure that releases were generated by a trusted source
- Prevent tampering with binaries and artifacts after publication
All releases generated by this project can be digitally signed with GPG.
The signature can be verified using the public key available in this repository.
Example of verification:
gpg --import public.key
gpg --verify release.tar.gz.asc release.tar.gz
The public key is stored in this repository as:
pubkey.key
It can be imported by any user for validation of the generated artifacts.
This project adopts a trust model based on cryptographic signatures:
- Only builds signed with the corresponding private key are considered valid.
- The private key is never exposed in this repository.
- The public key can be freely distributed.
The presence of this public key allows end users and automated systems to verify that:
- The file has not been altered after generation.
- The build truly belongs to the project author.
- The release is legitimate and has not been compromised.
- The security of this system depends on the protection of the private key.
- If the private key is compromised, all previous signatures must be re-evaluated.
- It is always recommended to verify signatures before running any software.
This mechanism ensures transparency, security, and reliability in the software distribution process of this project.
