2024-01-13 UTC
# sknebel e.g. if you look at software repositories, like the one Debian/Ubuntu use for apt, there the index files that list all the files and their hashes. and then the index files are signed with GPG so you can verify that the index file has been transmitted unmodified from the release maintainer, and can check the same for future updates (where the hash obviously wouldnt be known yet)