I propose the ability to sign packages by providing an ed25519 digital signature as an additional file.
If there was a package called beanslib then you'd have:
beanslib.lua as the actual package manifestbeanslib.lua.sig as an ed25519 digital signature of beanslib.lua
I'm not sure how to handle distributing and verifying public keys, maybe the key could be remote-level and packages are signed by the remote's maintainer?
Packages should not require a signature, but if they do have one, and the signature is determined to not be valid, the package should be rejected on install and an error stating that the signature is invalid should be given to the user.
I propose the ability to sign packages by providing an ed25519 digital signature as an additional file.
If there was a package called
beanslibthen you'd have:beanslib.luaas the actual package manifestbeanslib.lua.sigas an ed25519 digital signature ofbeanslib.luaI'm not sure how to handle distributing and verifying public keys, maybe the key could be remote-level and packages are signed by the remote's maintainer?
Packages should not require a signature, but if they do have one, and the signature is determined to not be valid, the package should be rejected on install and an error stating that the signature is invalid should be given to the user.