Please provide checksums and sign the eZ Publish Community Project xxxx.yy packages provided for download at http://share.ez.no/download-develop/downloads It would be nice to have that info also available within the package in a Checksum file or similar. Some infos about how and who will manage this role key is another nice to have.

This is only a bug about what is provided for downloads to end-users, not about codesigning during development, that would require more effort and will presumeably be easier to integrate somewhere after git release 1.7.8 (adding OpenPGP signatures in the commit object). If you want to address this, please file a seperate issue for it.

(I was tempted to call this a security bug and not an enhancement).