If you discover a security vulnerability in Tildr, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities
- Email the maintainer directly or use GitHub's private vulnerability reporting
- Include a description of the vulnerability, steps to reproduce, and potential impact
- You should receive a response within 72 hours
We will work with you to understand and address the issue before any public disclosure.
For security-conscious users, we provide cryptographic signatures for all releases. This ensures that the binaries you download haven't been tampered with.
- GPG (GNU Privacy Guard) installed on your system
- The project's public GPG key imported in your system's keyring
To verify signatures, you first need to import the project's public key:
# Import the public key from a keyserver (e.g., keys.openpgp.org)
gpg --keyserver keys.openpgp.org --recv-keys E6A5CC75350F3DCE
# Or, download our public key at https://github.com/orbitbits/pubkey/blob/main/pubkey.asc
gpg --import pubkey.ascAfter downloading the binary and its signature file (.asc), verify the integrity:
# Download the binary and signature
# Example: tildr-0.1.0-x86_64 and SHA256SUMS.asc
# Verify the SHA256SUMS signature
gpg --verify SHA256SUMS.asc
# If valid, verify the binary against the checksums
sha256sum -c SHA256SUMS
# Both commands should show "Good signature" and "OK"- Authenticity: The release was created by project maintainers (verified by GPG signature)
- Integrity: The binary hasn't been modified or corrupted (verified by SHA256 checksum)
- Non-Repudiation: The maintainers can be held accountable for releases