On 27 June 2018 at 00:20, Tom Kent via Boost-users < boost-users@lists.boost.org> wrote:
The hashes (for the binaries) are signed with a PGP key as they are packaged up for each release. I agree it would be easy to change the hash in the SHA256SUMS. However, it would be impossible to create a copy of the SHA256SUMS.asc file that can be verified with GPG/PGP without hacking the private key that signs that file. This is a *much* higher bar, and does provide security.
That is indeed much better [than I thought], but those people who download the .exe will not check that as this requires quite a bit of knowledge. Just a question of a lay-man in this matter. Can't the server make this check before serving the file, or does a setup like that actually weaken the security? degski