A lot of important software, like for example crypto wallets, have the releases signed by one or multiple GPG keys. This includes Electrum wallet, VeraCrypt, and many many others.
It would be nice for duplicati to also be signed by a recognizable and easy to verify GPG signatures.
That is already the case.
See this release for instance:
The last asset is:
duplicati-2.2.0.106_canary_2026-03-06.signatures.zip
This file contains the signatures for each of the files in the release, signed with GPG.
The public key is listed in the “security” tab, but is available here:
https://keys.openpgp.org/search?q=0xC20E90473DAC703D
That’s great! I didn’t notice it! I also can’t find the “security” tab nowhere.
I would be a good idea to stick the fingerprint (not key id) on the download page, so i.e. webarchive would archive the page with the FP visible, so it’s easy to verify in the future if it was tampered with.