Supply chain security: PGP signature of archives?

[tchoutri]

When uploading archives to Flora, it would be interesting to include a detached PGP signature that would be verified by the server.

The main model I'm thinking of right now is GitHub, where you upload your PGP public key, sign commits with your private key, and the server can verify if the two match, and display a little green check.

[tchoutri]

This is not going to work because we optimise the tarballs we serve. We do store the originals but only to recover from data loss or when we tweak the optimisations of the tarballs we serve.