1. do we also want to generate (and expose) signatures for source uploads, or just the binary files?
2. since we're exposing the computed signature for verification purposes, we need to document how to recompute the signature on the device itself, correct?
A few more questions to consider:
1. do we also want to generate (and expose) signatures for source uploads, or just the binary files?
2. since we're exposing the computed signature for verification purposes, we need to document how to recompute the signature on the device itself, correct?