Replies: 4 comments 14 replies
-
They are not, and it is not feasible for us. If you trust us, just strip the "downloaded" attribute from the release archive (as explained on the releases page). |
Beta Was this translation helpful? Give feedback.
-
It might be feasible, we could use a service like vim does: https://github.com/vim/vim-win32-installer?tab=readme-ov-file#signed-builds However I see that #11011 (comment) mentions another problem. |
Beta Was this translation helpful? Give feedback.
-
Coincidentally, github just announced Artifact Attestations:
Not sure if that fully solves the problem for macOS specifically, but it seems like a step that would set us up for a long-term solution. |
Beta Was this translation helpful? Give feedback.
-
I don't exactly understand the threat model here -- you already trust us fully by running a binary which we build and you can't vet. You can already verify corrupted downloads (or man in the middle attacks) from our releases page by comparing the provided hash. What would signing provide on top of that? Do you expect that a personal signature from one of the maintainers (which?) is more trustworthy than that? Why? As far as you know, we are all just random internet clowns -- if you can't trust the releases we provide via Github, why would a signature change that? |
Beta Was this translation helpful? Give feedback.
-
Are the Mac releases signed for GateKeeper? If not, would it be possible to start signing them so Mac users don't have to bypass GateKeeper since there is no other means to verify neovim?
Beta Was this translation helpful? Give feedback.
All reactions