alt Hacker NewsThe whole point of a signature is that you are able to verify what was signed was in fact a message that was signed by signer.
The whole point of a signature is that you are able to verify what was signed was in fact a message that was signed by signer.
Sure, but a signature doesn't prove that a particular binary came from a particular codebase - merely that a particular human (or other trusted entity, for varying degrees of "trusted") has vouched for it.
Being able to reproduce the binary from the source code and being able to verify that it's the same as the original is quite important in some contexts.