Circularity in Verification Intergrity with Zig Official Repo

[lastironstar]

I wanted to use Zig to compile minisign on my system.
The official source files on https://ziglang.org/download/ are signed with minisign!
How to resolve this circular integrity check dependency?

[jedisct1]

Well, you need to start somewhere, just like in any signature chain. You should also trust the web browser you are going to use to download files, as well as your operating system and CPU.

Your operating system is likely to already have packages for Minisign, so since you already trust your OS and package manager, you can install Minisign that way.

There are pre-built binaries available for download at https://jedisct1.github.io/minisign/ -- If you trust your web browser and GitHub, you can install it from there, no need to compile anything.

If you feel like you're against a targeted attack, download the binary from multiple locations, using multiple computers, and check that the files are the same.