You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently it is not possible to verify the authenticity or cryptographic integrity of OsmAnd MapCreator because the releases are not cryptographically signed.
I should be able to download the OsmAnd PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
The downloads page itself should include a link to the documentation page that describes how to do the above two steps
Actual behavior: [What actually happened]
There's just literally no information on verifying downloads, and it appears that it is not possible to do so.
The text was updated successfully, but these errors were encountered:
Description
Currently it is not possible to verify the authenticity or cryptographic integrity of OsmAnd MapCreator because the releases are not cryptographically signed.
This makes it hard for OsmAnd MapCreator users to safely obtain the MapCreator software, and it introduces them to watering hole attacks.
Steps to Reproduce
Downloadslink to https://osmand.net/docs/versions/free-versionsOsmAnd MapCreatorlink to https://osmand.net/docs/versions/map-creatorExpected behavior: [What you expected to happen]
A few things are expected:
SHA256SUMS.ascfile) along with the release itselfActual behavior: [What actually happened]
There's just literally no information on verifying downloads, and it appears that it is not possible to do so.
The text was updated successfully, but these errors were encountered: