[FEATURE/SECURITY] Offer GPG signature(s) and checksum(s) of public_suffix_list.dat

[nf-brentsaner]

In order to verify integrity against (what seems like an increasing number of) supply-chain attacks, it would be beneficial to this project to cryptographically sign and hash files intended for remote use.

There are currently no protections in place, aside from HSTS'd HTTPS (of which requires a visit to the site at least once before, assuming one is even using a caching client), to ensure that the content of the list has not been corrupted in-transit or maliciously altered.

Personal recommendations:

• Publish a list of valid key/keys' full fingerprints on multiple channels, optionally with the ASCII-armored public key/keyring itself
  • This can be satisfied by publishing static versions of the fingerprint/key on publicsuffix.org that is not pulled from https://github.com/publicsuffix/publicsuffix.org (as the site itself is hosted via Google), and the key(s)/fingerprint(s) included somewhere within this (publicsuffix/list) repository (thus requiring two separate compromises to replace the key with an attacker's instead of only one)
• Have a vetting process for valid signers and keys
  • Signatures should not be made from DSA keys, or RSA keys <2048 bits
• Allow multiple signers to sign
• Sign the public_suffix_list.dat file using ASCII-armored detached signatures of at least SHA512 (if not a SHA3 algorithm) checksumming.

[simon-friedberger]

The website is already the only authoritative source of the list. This is explained at the top of the list.

Signing with keys which are published on the same site would accomplish very little.