Skip to content

Signed packages #99

New issue
New issue
Open
Open
Signed packages#99
Labels
enhancementNew feature or request
@scmcgowen

Description

@scmcgowen
scmcgowen
opened on Dec 1, 2025

I propose the ability to sign packages by providing an ed25519 digital signature as an additional file.
If there was a package called beanslib then you'd have:

  • beanslib.lua as the actual package manifest
  • beanslib.lua.sig as an ed25519 digital signature of beanslib.lua

I'm not sure how to handle distributing and verifying public keys, maybe the key could be remote-level and packages are signed by the remote's maintainer?

Packages should not require a signature, but if they do have one, and the signature is determined to not be valid, the package should be rejected on install and an error stating that the signature is invalid should be given to the user.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions