You can do better

Yeah this. I think the OP was a bit much. Yes the user could take verification into there own hands like we do, but most wont, so repos, repo maintainers and distributions already (at least the major modern repos) by default already have pretty good signature verification with a pretty user friendly way of verifying and installing keys if needed. 3rd party repos are often signed if users want to get signed packages from the devs too.

If the market does not want it, not doing anything about it 🤷‍♂

Yep. That's the whole point of Zapstore

Yep. That's the whole point of Zapstore

how do you do this? how does a consumer verify a release?

Good point

Cool but does this prove anything? The signatures are pretty much centralized

FWIW I asked Maple about this and here's what it said: ***** Yes, on all major Linux distributions, package installation is cryptographically signed and verified by default—but the implementation varies by distribution and package format. ## How Major Distros Handle Signing **Debian/Ubuntu (APT)** - **Repository metadata** is signed with GPG keys. APT verifies the `Release` file signature before trusting any package lists. - **Individual packages** are typically signed by the maintainer's key, though APT primarily trusts the repository metadata rather than verifying every package signature independently by default. - Keys are stored in `/etc/apt/trusted.gpg.d/` or managed via `signed-by` in sources lists. **RHEL/CentOS/Fedora (RPM/DNF/YUM)** - **Packages** are GPG-signed by the packager (the `.rpm` file contains the signature). - **Repository metadata** is also signed. - DNF/YUM verify package signatures before installation using keys in `/etc/pki/rpm-gpg/`. - You can check a package's signature with: `rpm -K package.rpm` **Arch Linux (Pacman)** - **Packages** are signed by Arch Linux developer or Trusted User keys. - Pacman has a web of trust model; the `archlinux-keyring` package distributes trusted keys. - Signatures are stored as separate `.sig` files. **Alpine Linux (APK)** - Uses **RSA signatures** (not GPG). Each package has a corresponding `.rsa.sig` file. - Public keys are stored in `/etc/apk/keys/`. **openSUSE (ZYpp/RPM)** - Similar to Fedora: RPM packages are GPG-signed, and repository metadata is signed. ## Universal Package Formats - **Flatpak**: OSTree commits are signed with GPG; apps are verified against remotes. - **Snap**: Packages are signed; the snapd daemon verifies signatures from the Snap Store. - **AppImage**: Generally **not signed** by default (though some projects embed signatures separately). ## Important Caveats 1. **Manual downloads**: If you manually download a `.deb` or `.rpm` from a website and install it with `dpkg -i` or `rpm -i`, signature verification may be skipped or require manual key import. Using the distro's package manager (APT/DNF) enforces verification. 2. **Disabled verification**: You can disable signature checking (e.g., `apt-get --allow-unauthenticated` or `rpm --nosignature`), but this defeats the security model. 3. **Third-party repositories**: When adding a new repo, you must manually import the GPG key. The security depends on whether you verify the key fingerprint through a trusted channel. 4. **Build-from-source**: Compiling from source code (e.g., `make install`) bypasses the package signing system entirely. ## Verification Commands ```bash # Debian/Ubuntu: Check repository key apt-key list # Fedora/RHEL: Verify a package signature rpm -qi package_name | grep Signature # Arch: Verify package databases pacman-key --list-sigs # Alpine: Check keys ls /etc/apk/keys/ ``` **Bottom line:** Modern Linux distributions treat cryptographic signing as mandatory for their official repositories, protecting against man-in-the-middle attacks and package tampering. However, the security is only as strong as your key management practices and whether you verify keys when adding third-party repositories.