-
Notifications
You must be signed in to change notification settings - Fork 479
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cryptographic signed commits and releases #288
Comments
Will discuss! Thanks for the report! |
I have wanted to suggest this for some time, but lacked references. For the record, I stole most of the text from this email post by fellow Debian developer Paul Wise: |
@jonassmedegaard, for the next release (2.2) we will try to create a signed release based on the steps in https://wiki.debian.org/Creating%20signed%20GitHub%20releases. |
Quoting Pascal Bühler (2017-10-27 12:29:05)
@jonassmedegaard, for the next release (2.2) we will try to create a
signed release based on the steps in
https://wiki.debian.org/Creating%20signed%20GitHub%20releases.
Awesome!
The key id that will be used, at least initially is
EF76B4CDB2A6BF541985C48CE70913DF61445490, available from
pool.sks-keyservers.net . I just wanted to inform you now in case you
have some input?
I am new to release signing myself, so cannot spot flaws in the
procedures ahead of time.
Suggestion: Make a prerelease and sign that as well. I'd be happy to
package that (for Debian experimental) with signature check enabled, so
that when you do the final release we check that the signature of the
previous (pre)release matches that of the final one.
In any case, if signing is flawed then simply correct it for next
release :-)
- Jonas
…--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
|
It would be great if there were electronic signatures (OpenPGP/etc)
of all git commits and tags and any zip files or tarballs you release,
so that distributors and users can verify the source code came from authors of this project
and wasn't modified by github or network attackers.
https://mikegerwitz.com/papers/git-horror-story
https://github.com/blog/2144-gpg-signature-verification
https://wiki.debian.org/Creating%20signed%20GitHub%20releases
https://wiki.debian.org/debian/watch#Cryptographic_signature_verification
The text was updated successfully, but these errors were encountered: