Package Signing Security

Discussions center on cryptographic signing (GPG, PGP) for verifying software packages in package managers and repositories like Linux distros, npm, and others, debating trust, mirror security, and comparisons to checksums.

📉 Falling 0.4x Security

3,104

Comments

Years Active

Top Authors

#2352

Topic ID

Activity Over Time

2007

2008

2009

2010

2011

2012

2013

150

2014

211

2015

198

2016

317

2017

165

2018

197

2019

246

2020

174

2021

244

2022

263

2023

346

2024

218

2025

218

2026

Top Contributors

woodruffw (76) westurner (45) lrvick (29) lmm (22) dane-pgp (21)

Keywords

Security.html AUR EDIT NPM DNS UX fossies.org DHT HTTPS FWIW signing package signatures packages key pgp signature checksum signed debian

Sample Comments

Ferret7446 • Dec 27, 2022 • View on HN

Packages are signed, unless you're using a niche, insecure distro or package manager. Of course, that signing key could also be compromised, but those are usually more tightly guarded than web servers, which are compromised rather more frequently (any reputable dev should have their key in a hardware enclave like yubikey or similar).

VMG • Sep 15, 2017 • View on HN

how likely is it that npm and other package managers that do not use digital signatures by default are unaffected?

rho138 • Aug 25, 2024 • View on HN

Are packages cryptographically signed by the actual package maintainer or only with the repo owners key?

tokenrove • Nov 1, 2013 • View on HN

Unless you verify against a PGP signature with trusted keys.

rb12345 • Aug 31, 2016 • View on HN

The downloads are all GPG-signed, so that shouldn't be an issue. You have the issue of the initial trust, but that applies to HTTPS too to a lesser extent.

zahllos • Aug 9, 2021 • View on HN

Yes it is a real concern. If you're running a Linux distribution, chances are you are downloading your packages from a mirror and not the primary mirror for your distribution. This is done to everyone's benefit bandwidth-wise.However it opens up the possibility that the artefacts can be tampered with on the server. Signing confirms their authenticity. In a (cryptographically secure) hash, there is no 'key' and so anyone can create a valid one for their modified bundle.D

eru • Jun 8, 2019 • View on HN

That would be pretty annoying.The signatures are an end-to-end thing. As long as you can trust the signer at time of signing, you can trust the package. No matter what happened to that package in the meantime, or what shady people were in charge of transmitting it to you. Be that five minutes after uploading or fifty years.2FA and HTTPS only do anything extra on top of that for you, if you trust the whole chain of transmission at all times, and all custodians of the data.Adding 2FA a

BSDobelix • May 29, 2024 • View on HN

You know that packages are signed right? That's why everyone can be a libreoffice or ArchLinux Mirror...or Fedora?

pona-a • Oct 20, 2025 • View on HN

Why not even a PGP signature from the team? At least the public keys can be pinned so the possible compromise can be detected. I think Arch does something like that.

voltagex_ • May 30, 2014 • View on HN

The signatures and binaries are not served over HTTPS. It would be prudent to compare them to other sources.