Do Not trust verify

[fbrz76]

Pls,
to avoid using bad source code, how to verify downloaded source code to build is that released?

[anipaul2]

Pls, to avoid using bad source code, how to verify downloaded source code to build is that released?

Could you please elaborate on what you are trying to achieve? This will help me guide you more effectively.

[fbrz76]

Sure, i refer to something like that:
https://raspibolt.org/guide/bitcoin/electrum-server.html#build-from-source-code
In second section when about to verify the signature.

[orbitalturtle]

I agree, this would be a really nice feature to have :)

[d6n13l0l1v3r]

some additional reference I found in GitHub to sign a commit:

https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

[sr-gi]

some additional reference I found in GitHub to sign a commit:

https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

All commits need to be signed in order for PR to be merged in the repo. I think what the OP refers to is for the releases to be signed so we don't have to trust GH