Hacker News new | past | comments | ask | show | jobs | submit login

I'm talking g about developers signing the archive on their local machine. Private key would be stored on developers laptop



You still need the public key to validate the signature. If the attacker can change the public key, he can change the signature without you knowing - unless you explicitly want to trust each and every key for every gem you install.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: