> They say a contributor key was compromised This is an assumption: A binary was replaced with a malicious one, this should only be possible to do by people with write access. So far of those people, nobody's account seems compromised. And GitHub doesn't let you know who performed that action. > How many contributors can make releases? The release itself, I think everyone could do it. But the creation and signing of the binaries with the zkSNACKs key of course only by people with the key. > Is the installer not signed? It is. And the signature file wasn't replaced. People who verify signatures should have noticed it and not be a victim
And then there is the possibility of a GitHub engineer. It would really be important to figure it out and a log of who did this would be essential to narrow down what happened and also for criminal investigations as the official account holder would be the first to ask. We cannot rule out people getting greedy or being psychopaths trying something funny to begin with.