Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Releases, code should be digitally signed #3480

Open
sanmai-NL opened this issue May 19, 2016 · 6 comments
Open

Releases, code should be digitally signed #3480

sanmai-NL opened this issue May 19, 2016 · 6 comments

Comments

@sanmai-NL
Copy link
Contributor

@sanmai-NL sanmai-NL commented May 19, 2016

Apparently the releases, e.g. the latest 1.7.1, are not being signed, neither the Git tags nor the artifacts (executables). This reduces the confidence users can have in the integrity of your release process.

@TotallyPro

This comment has been minimized.

Copy link

@TotallyPro TotallyPro commented Jul 25, 2017

This issue clearly deserves a higher significance, not feature but requirement!
Anyone security conscious will, and should, have serious questions about credibility when missing...

@damianb

This comment has been minimized.

Copy link

@damianb damianb commented Apr 12, 2019

Having no way to verify a binary as being official via a cryptographic signature (e.g. GPG) and then having instructions for users to install by using sudo, curl altogether blindly is a blatant disregard for best practices for software distribution.

At minimum, please start signing release binaries. No way can I or many others pull in docker-compose from a random URI (HTTPS or not) without some way of verifying who built the binary in the first place.

@stale

This comment has been minimized.

Copy link

@stale stale bot commented Oct 9, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 9, 2019
@sanmai-NL

This comment has been minimized.

Copy link
Contributor Author

@sanmai-NL sanmai-NL commented Oct 10, 2019

Activity.

@stale

This comment has been minimized.

Copy link

@stale stale bot commented Oct 10, 2019

This issue has been automatically marked as not stale anymore due to the recent activity.

@stale stale bot removed the stale label Oct 10, 2019
@ndeloof

This comment has been minimized.

Copy link
Contributor

@ndeloof ndeloof commented Oct 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.