Download signature with installer

[mbrodala]

The installer script currently only downloads the latest .phar. To check the integrity of that file, one has to manually download the matching signature (see #123) from Github releases.

It would be useful if the installer did this automatically and download the box.phar.sig next to the box.phar, thus one can simply run gpg --verify box.phar.sig box.phar afterwards.

[kherge]

I'm leaning towards no on this issue because I feel like this will give users a false sense of security GitHub does become compromised.

[mbrodala]

Not sure where a false sense of security could be given. Even if Github is compromised and both the .phar and .phar.sig have been tampered with, a check via GPG and your public key will reveal this.

This issue is simply about convenience without any security change.

[mbrodala]

Of course, to be absolutely sure I'd have to meet you in person and verify that the public key I have retrieved is really yours. ;-)

[kherge]

Would it be reasonable to assume that if any of the release files are tampered with, that the files used in the gh-pages branch could also be tampered with? I can imagine a situation where the install script is modified to bypass the GPG check and falsely report that it succeeded.

[mbrodala]

But I didn't request the install script to perform the GPG verification, did I? ;-)

Again, all I'm requesting is to conveniently download the .phar.sig, nothing more. The check must still be performed by the user of course.