Starting today, all nCine-related repositories will feature verified commits on GitHub.
This allows anyone to confirm that changes to the codebase are authentic and originate from the project maintainer. The signing key is published on the site and can be found at the following page: GnuPG Public Key.
The associated private subkeys are stored on a hardware security token (a YubiKey 5C NFC), which ensures that the signing keys cannot be copied or extracted from the device.
This is part of an ongoing effort to strengthen the project’s supply chain integrity and provide long-term trust in the history of the repositories.