[mhils]

GitHub's permission system is quite brittle here: Anyone with write access to a repository can silently swap out binaries on the releases page, which are then still listed as "Verified" if the commit is signed. It's a complex problem, but the current approach feels subpar.

[aaron_m04]

Sounds like a good opportunity for integration with GPG, keybase, and other signing tools.

[kingosticks]

I was surprised that there was no gitlab integration with keybase when I signed up last night to check it out. Not just to save me manually copying my key but for the cross-platform identity verification.

[Boulth]

It's not that easy to solve in general. Usually these artifacts are built by CI so it'd have to sign them too (if they are not reproducible the you can't build them locally and check if they are the same). So a person that has admin access in CI can do that too.

Of course current design leaves much to be desired.