Suggest use of PGP Validation on Mist Releases #546

danielmcclure opened this Issue May 3, 2016 · 8 comments


None yet

6 participants


Thanks for developing and Mist and bringing on board earlier suggestions of issuing checksums with releases. I noticed that GitHub now allows for GPG verification of releases and believe this would be a great addition to the release cycle for software that interacts with so much value on a daily basis.

@luclu luclu referenced this issue May 4, 2016

Improve Packaging and Distribution #561

8 of 19 tasks complete
Nogreedy commented May 17, 2016 edited

Mist is great
Of course, we have MD5 hash to check validity but we need PGP Validation on Mist Releases.
Thanks @alexvandesande

@luclu luclu added the enhancement label May 18, 2016
SecTec commented Jun 14, 2016 edited

The missing PGP verification prevents me from installing the Ethereum client.

@evertonfraga evertonfraga added this to the 0.8.3 milestone Aug 24, 2016
@evertonfraga evertonfraga self-assigned this Aug 24, 2016


I did my first signed commit and I'll definitely look into tagging the following releases (0.8.2 is already on the way, so hope to have it on following versions).

screenshot 2016-08-24 15 28 42

@luclu @alexvandesande @frozeman @hiddentao
Do you have any suggestions about managing a team GPG key, instead of signing from individual key?


Done in 0.8.3. I'll bug everyone on the following releases so we keep having them verified.

Thanks @danielmcclure .

danielmcclure commented Sep 20, 2016 edited

Great to see signing in this version! To back up the key signing it would also be useful to have each of the developers public keys available to view on GitHub (not sure if I'm just missing this, I only see fingerprint) but also to have them listed on a third party such as the official Ethereum site so that new users can verify between platforms and both platforms would have to be compromised for somebody to sneak a rogue key in.

luclu commented Sep 23, 2016 edited

Infrastructure still not complete yet: #1184

@luclu luclu reopened this Sep 23, 2016
maxme commented Sep 30, 2016

version 0.8.4 is not signed also I noticed tag naming inconsistency v0.8.4, 0.8.3


@maxme As for the version naming, we changed to "v" prefix, in order to fit our new automated build process.

About PGP: I've signed the 0.8.3 tag manually. And 0.8.4 wasn't signed. work is being done in order to automate all those steps.

@luclu luclu modified the milestone: 0.8.6, 0.8.3 Oct 7, 2016
@evertonfraga evertonfraga modified the milestone: 0.8.6, 0.8.7, 0.8.8 Oct 24, 2016
@evertonfraga evertonfraga modified the milestone: 0.8.8, 0.9 Dec 16, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment