Sign releases
The releases should be signed + have a checksum to verify their integrity.
However this supposes to have our own building machines + a way to reproduce them on our own environement, so any allowed developer of Duniter organization could make a build.
Maybe we could use Vagrant or something to build the environement, then building scripts.