I have a binary file and saved it on github release page. https://github.com/zono/bolt8/releases
To allow users to verify it, I saved sha256sum and signature(.asc).
However I have a concern that if my github account is hacked somehow, the sha256sum, the signature and my keybase.io account link (https://keybase.io/zono) could be replaced. As a result of that, users can't notice the fake binary.
Are there any solutions about that? What kind of ways are used in OSS projects.
* sign and sha256sum (on mac)
$ gpg -ba bolt8-node10-macos-x64
$ shasum -a 256 bolt8-node10-macos-x64
// save .asc and the checksum into github
* verify (on linux)
$ sha256sum bolt8-node10-macos-x64
$ curl https://keybase.io/zono/pgp_keys.asc | gpg --import
$ gpg --verify bolt8-node10-macos-x64.asc bolt8-node10-macos-x64
gpg: Signature made Mon 17 Jun 2019 09:59:55 PM JST using RSA key ID 6530E807
gpg: Good signature from "xxxxx"