Originally Posted by knc1
Let us adopt the habit of having the author always provide a detached signature file that can be checked for authentic with a pgp or gpg public key.
All host OSs support that checking (with either the pgp or gpg applications) - so signature checking can be off-kindle ;
Each provider of an archive can use their own key pair ;
Each provider can post their public key of the pair in a trusted location - here or on a public gpg key server ;