How important is it to verify the signing certificate...
...of a file's SHA256 fingerprint? If I have my terminology correct here...
...of a file's SHA256 fingerprint? If I have my terminology correct here...
Depends on the context, I think. For me, I rarely do it for personal stuff. If I wanted to be perfect, I could do it, assuming a signature is available to verify, but I'm lazy. I would venture to say most folks don't do it either.
With that being said, where I have been consistent about doing it has been writing config management code at work. If I need to have it download an installer from an untrusted source, I can verify that I'm installing the same package on all servers by verifying the signature before installation. This doesn't always work well in all circumstances, though.
That's interesting and it's the same for me. But I just started wondering why we apply higher standards at work, when the effects for our personal stuff really affect us as individuals. Thinking about this further I think it's the perceived threat level and probably we want to deliver good work.