[dveeden2]

> The generated files libntlm-1.8.tar.gz and libntlm-1.8.tar.gz.sig are published

Shouldn't we make browsers and (lib)curl understand this and automatically verify signatures? Maybe with some PKI or TOFU?