Assistant: Removing signature from Torrent

By shipping a signature file directly in the Torrent, aren’t people downloading it more subject to possible downgrade attacks? In case a fake Torrent seeds an old ISO and an old signature file.

Shall we instead include in the Torrent a README and point to the ISO verification instructions on our website (HTTPS)?

Related issues

Related to #9043 (closed)
Related to #11019 (closed)
Related to #11127 (closed)

Original created by @sajolida on 8832 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information