This is an incredible program but I would really love to be able to verify the installer once I’m download it. The reason is simple : one can never know if, for brief moments, the installer gets compromised with another one which has malicious code embedded into it.
I reckon that this probably never happened before, but I think that adding another layer of security to an app that will hold such important and personal information for sure it’s beneficial right?
If those keys are already available, I wasn’t able to find them after some googling…
See Releases · portfolio-performance/portfolio · GitHub - there are the download-files and the asc
$ gpg1 --verify PortfolioPerformance-0.56.3-linux.gtk.x86_64.tar.gz.asc
gpg: die unterzeichneten Daten sind wohl in 'PortfolioPerformance-0.56.3-linux.gtk.x86_64.tar.gz'
gpg: Unterschrift vom So 09 Jan 2022 20:49:07 CET mittels RSA-Schlüssel ID 560C95AC
gpg: fordere Schlüssel 560C95AC von hkps-Server keys.openpgp.org an
gpg: Schlüssel 560C95AC: Öffentlicher Schlüssel "Buchen Andreas <andreas.buchen@gmail.com>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg: importiert: 1 (RSA: 1)
gpg: Korrekte Unterschrift von "Buchen Andreas <andreas.buchen@gmail.com>"
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = E46E 6F8F F02E 4C83 5690 8458 9239 277F 560C 95AC