This question already has an answer here:
A majority of free software (in particular, Linux ports for Windows) are not signed.
As I understand it, it is quite easy to create a self-signed CA, and sign the software. Distribution would be handled by major free software players, like KDE, Gnome, or whoever is behind the software.
Why isn’t this standard practice?
Errata:
This question specifically concerns the practice of porting software from Linux to Windows operating system, and the resulting (perceived) reduction in binary distribution security trust. More specifically, it addresses the practice of distributing binary versions of ported software and the resulting lack of “non-repudiation” as it pertains to digital security.
To rephrase the question, if binary distributions are offered for one platform, and the package source trust infrastructure is implemented, why is such infrastructure not applied to binary “ports”.
Continue reading Why isn’t free software signed with self-signed certificates? [duplicate]→