Y
Hacker News
new
|
ask
|
show
|
jobs
by
cryo
1956 days ago
Wouldn't it be saner to also verify the downloaded archive hash? It looks like the domain resolving of nginx.org is trusted without doubt.
1 comments
kdunglas
1956 days ago
Sure! I also opened another PR to check the archive signature:
https://github.com/signalapp/Signal-TLS-Proxy/pull/10
link