I’ve been thinking about this for a while now, and I’ve been asking myself this question.
I’ve always thought that a firewall is a key link in the security chain of a computer network, whether it’s for a home or a large business.
Its integrity must be guaranteed at every stage.
In this regard, I’ve always wondered why the program download page doesn’t display its digital signature to verify the integrity of the downloaded or installed program, as countless programs, even less important or critical than IPFire, do.
I want to clarify that my question is only intended to understand the reasoning and not to spark a controversy.
The SHA-256 checksum is displayed on the download page for the file wanted.
This can be used to check the integrity of a downloaded file. But you can’t prohibit bad fake versions. These can compute their own checksum.
To be sure, you must compare to the checksum on the official page. But in this case you can just download the file from there.
The checksum assures integrity of files on mirrors, not validity of the download.