https://issues.dlang.org/show_bug.cgi?id=16065
--- Comment #6 from Sobirari Muhomori <[email protected]> --- (In reply to James King from comment #5) > To add to that, PGP signatures must also be delivered over HTTPS AFAIK, they can be delivered over HTTP just fine. It's a key property of a digital signature that it can't be realistically forged because of math behind cryptography. > and even then, again, the > only barrier to supplying a bad binary is to gain access to the web server. The signature doesn't prevent supplying a bad binary from the web server. It prevents running the bad binary if the user checks the signature and pays attention to the failed check and decides to not run it. --
