The bws CLI releases include SHA256 checksums, but no cryptographic signatures (GPG, Sigstore/cosign, etc.).
Checksums verify integrity, but not authenticity if an attacker compromises the release, they can update the checksum file too. Signatures would let users verify that artifacts were actually built and published by Bitwarden.
Common approaches:
- GPG-sign the checksum file with a published Bitwarden key
- Sigstore/cosign for keyless signing with transparency log
- GitHub artifact attestations
This is particularly relevant for the curl | sh install pattern where users are trusting the full chain.