It has to be signed by a certificate for the original source domain, so its the same kind of security that TLS provides.
> It doesn't seem like there's a way to guarantee that the content was signed by the site on the package.
It seems to me it guarantees that the same way your browser guarantees that an HTTPS page was signed by the site on the URL.
It has to be signed by a certificate for the original source domain, so its the same kind of security that TLS provides.
> It doesn't seem like there's a way to guarantee that the content was signed by the site on the package.
It seems to me it guarantees that the same way your browser guarantees that an HTTPS page was signed by the site on the URL.