box-project
Download signature with installer
The installer script currently only downloads the latest .phar. To check the integrity of that file, one has to manually download the matching signature (see #123) from Github releases.
It would be useful if the installer did this automatically and download the box.phar.sig next to the box.phar, thus one can simply run gpg --verify box.phar.sig box.phar afterwards.
I'm leaning towards no on this issue because I feel like this will give users a false sense of security GitHub does become compromised.
Not sure where a false sense of security could be given. Even if Github is compromised and both the .phar and .phar.sig have been tampered with, a check via GPG and your public key will reveal this.
This issue is simply about convenience without any security change.
Of course, to be absolutely sure I'd have to meet you in person and verify that the public key I have retrieved is really yours. ;-)
Would it be reasonable to assume that if any of the release files are tampered with, that the files used in the gh-pages branch could also be tampered with? I can imagine a situation where the install script is modified to bypass the GPG check and falsely report that it succeeded.
But I didn't request the install script to perform the GPG verification, did I? ;-)
Again, all I'm requesting is to conveniently download the .phar.sig, nothing more. The check must still be performed by the user of course.