I’m quite skeptical about downloading things from the internet to my MacBook. Is it possible to verify that the downloaded file is legitimate before fully installing it? (With a checksum or something?)
Thanks
Yes. We upload all assets to the release page together with checksums in files with the same name and the suffix .integrity. For most formats these are SHA256 hashes, which GitHub also generates for each file (so you can compare both with our file and the one provided by GitHub).
The binary code on macOS and Windows is also signed by a certificate from Digital Scholar. The JavaScript code (for Tropy that code is in an ASAR archive) is not signed independently, but we’re also planning to add an automatic integrity check there to help detect cases where the code in the archive has been changed after installation.
For Tropy you can also review the source code, the versions of dependencies used, and the build script on GitHub actions, as well as the provenance of the release assets vie the GitHub API.
Great! Thanks for your response.