It would be useful if downloadable applications for Bitwarden to come with PGP signatures so users can verify the authenticity and integrity of the downloaded software.
In some cases (such as
.AppImage Linux distributions) you can also embed the signature . This appears to be missing from the currently downloadable version.
$ ./Bitwarden-1.28.3-x86_64.AppImage --appimage-signature $
As Bitwarden’s compiled/distributed applications are for a security sensitive purpose, I think it is essential that proper signing is in place. This happens with many other security sensitive applications already.
At bare minimum I’d suggest checksums for the downloadable software. If the user trusts their OS, browser, HTTPS and the bitwarden.com servers this provides some assurance that the download is correct.