software-verification issue for Sia-UI (.sig-file corrupt)
-
I recently downloaded the Sia-UI from Github. I also downloaded the corresponding .sig-file.
Anyhow, I get an GPG-error when I try to verify:$gpg --verify Sia-UI-v1.3.1-linux-x64.zip.sig
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.I've tried from different machines with different downloads from four different locations. Still, I get the same error. Can somebody please direct me to a way that will provide me with a signed version of the software? I'm not installing any unsigned packages on my machine.
I like this project - still, I find it strange that software like this that deals with peoples money doesn't take signature-verification super seriously? There are some outstanding resources on how to do proper verification, like here and here. Why is there no proper documentation concerning verification of the software neither on Github or sia.tech? From a security-perspective I find this very troubling.
Best regards,
Josefa
-
Agreed. And they don't even list the .sig for the CLI downloads. Would you mind creating an issue ticket at https://github.com/NebulousLabs/Sia-UI/issues for this?
-