What is code signing
Code signing is the application of cryptographic hashes to code. Most people sign code in order to guarantee that no one has tampered with the code since publishing, and to explicitly be able to say that specific artifact originated somewhere. Most code signing relies on trusted third parties to effectively vouch for the identity of the signer.
Code signing isn’t really new, even in the open source world. Most Linux distributions have been signing their packages for years. But Linux distributions are fortunate in many ways. They own everything from the kernel to user land applications, and typically a user installs most if not all software via the distributions package repositories. This means you trust a code signing key shortly after or during installation for that distribution. Linux distribution users ‘trust’ packages that are signed by the same key as their installation medium. Most don’t check to verify that the signatures match what the project proclaims, but such verification is available....