Here is one of the
validation files for 0.7.0.
Any changes to any of those files will change their hashes, and changes to any of the hashes will break the signature. If you've verified the key, you can check them for each release. By the way, the key they are signed with (currently) can be found
here. (But please don't take my word for it, verify the key yourself before you sign it or use it.)
But how can I trust you? Or that the owners of this site haven't modified your post?
Perhaps key-signing parties need to become part of the Bitcoin deal.
Probably should have these files torrented too for the decentralization. Would that decrease or increase security? Possibly neither I suspect.
Heh, you don't trust me, or my posts. In fact, I explicitly tell you not to.
If, for some strange reason, you did want to trust me, I'd tell you that if:
1) the SHASUMS.asc file you are looking at has the SHA256 hash d2f06aca782ae7bc1f0df13e2646ea3343f09048019aa3136832c11c04a08fc7
and
2) the 1FC730C1 key you've downloaded verifies the signature in that file
then according to me (or anyone that has access to the forum database or can intercept either my post or your loading of my post), you have the right key and file.
Torrent would ensure that the file you downloaded was the file described in the torrent, but it couldn't tell you that the torrent was legit.
One thing that you can do is check the hashes and signatures on several of the releases you've used in the past, and decide that you've already trusted that key, whoever it belongs to, without knowing it, and then sign it with your own key. That way, you'd at least know that future releases were signed by the same key as before.
