Releases of projects at code.aidanmontare.net will now have SHA512 checksums and GPG signatures available. Additionally, many projects will have their Git commits signed.
After learning how to create signatures and sign them, I went on a pushing spree. Most projects should now have signatures of their code available.
I realize that many of these projects don’t exactly need release signing. Also, it might be quite redundant to sign releases with GPG when they can only be downloaded over a secure SSL connection. However, I am signing things anyway.
I recently created a new page on my site: https://aidanmontare.net/about/security/. This page describes how to enter my GPG key into your keyring (on a Linux system) and verify the releases of my projects using the SHA512SUM files located in most project’s repositories.
For those who are interested, the Security page also outlines how you can create a similar setup with your own projects.
I would encourage all developers or website administrators who make downloads available to adopt a similar policy of signing releases (especially if they don’t have SSL). Even if most users never will check the signatures, it still builds confidence that your project takes security seriously.