Suggest use of PGP Validation on Mist Releases #546

Open
danielmcclure opened this Issue May 3, 2016 · 8 comments

Projects

None yet

6 participants

@danielmcclure

Thanks for developing and Mist and bringing on board earlier suggestions of issuing checksums with releases. I noticed that GitHub now allows for GPG verification of releases and believe this would be a great addition to the release cycle for software that interacts with so much value on a daily basis.

https://github.com/blog/2144-gpg-signature-verification

@luclu luclu referenced this issue May 4, 2016
Open

Improve Packaging and Distribution #561

8 of 19 tasks complete
@Nogreedy
Nogreedy commented May 17, 2016 edited

+1
Mist is great
Of course, we have MD5 hash to check validity but we need PGP Validation on Mist Releases.
Thanks @alexvandesande

@luclu luclu added the enhancement label May 18, 2016
@SecTec
SecTec commented Jun 14, 2016 edited

+1
The missing PGP verification prevents me from installing the Ethereum client.

@evertonfraga evertonfraga added this to the 0.8.3 milestone Aug 24, 2016
@evertonfraga evertonfraga self-assigned this Aug 24, 2016
@evertonfraga
Member

Wonderful.

I did my first signed commit and I'll definitely look into tagging the following releases (0.8.2 is already on the way, so hope to have it on following versions).

screenshot 2016-08-24 15 28 42

@luclu @alexvandesande @frozeman @hiddentao
Do you have any suggestions about managing a team GPG key, instead of signing from individual key?

@evertonfraga
Member

Done in 0.8.3. I'll bug everyone on the following releases so we keep having them verified.

Thanks @danielmcclure .

@danielmcclure
danielmcclure commented Sep 20, 2016 edited

Great to see signing in this version! To back up the key signing it would also be useful to have each of the developers public keys available to view on GitHub (not sure if I'm just missing this, I only see fingerprint) but also to have them listed on a third party such as the official Ethereum site so that new users can verify between platforms and both platforms would have to be compromised for somebody to sneak a rogue key in.

@luclu
Member
luclu commented Sep 23, 2016 edited

Infrastructure still not complete yet: #1184

@luclu luclu reopened this Sep 23, 2016
@maxme
maxme commented Sep 30, 2016

version 0.8.4 is not signed also I noticed tag naming inconsistency v0.8.4, 0.8.3

@evertonfraga
Member

@maxme As for the version naming, we changed to "v" prefix, in order to fit our new automated build process.

About PGP: I've signed the 0.8.3 tag manually. And 0.8.4 wasn't signed. work is being done in order to automate all those steps.

@luclu luclu modified the milestone: 0.8.6, 0.8.3 Oct 7, 2016
@evertonfraga evertonfraga modified the milestone: 0.8.6, 0.8.7, 0.8.8 Oct 24, 2016
@evertonfraga evertonfraga modified the milestone: 0.8.8, 0.9 Dec 16, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment