Improving external files integrity by implementing sha checksums and pgp keys

[CarlosR759]

So, this is a feature I guess for the long run, but if for example this repo start to integrate more things than code (like game assets or compiled files), probably it's a good idea to have hashes of the files and be able to check the integrity by a pgp key, and put all information needed in a webpage, or in the same repo. For example if this repo in the long run is going to be able to get a binary release for installation for users using cd/ci pipelines in github actions, maybe we can use the sha checksum and the pgp key to check the integrity of the game. So more people could be sure that the downloaded files are the right ones considered in the development process.

[tintinhamans]

Besides providing hashes for manual checking (which majority of the end users will not do), we should also consider code signing. There are organizations that offer this for free for open source projects e.g. SignPath

[CarlosR759]

Nice, I think that is a good idea, i didn't knew it. But also I guess the manual checking for the hashes also could be implemented, I could made the documentation for the manual checking for the most paranoid people I guess.