gpg-sign index files
With fdroid gpgsign
, we already have all the infrastructure in place to gpg-sign files in the repo. The unsigned index files could also be gpg-signed to provide a verification method that could be much easier on some platforms. For example, index-v1.json.asc would be much easier to verify on Debian, since gpg is guaranteed to be there.
This would also mean changing things so that index-v1.json is published.