Consider signing releases

[ottok]

Thanks for maintaining gitlab-ci-local!

This project uses rich releases at https://github.com/firecow/gitlab-ci-local/releases. Could you please consider also offering signatures alongside the tar.gz and other artifacts in your releases?

It is good practice in open source projects to publish cryptographic signatures alongside the tarball source releases, so that e.g. Linux distributions and other downstreams can use OpenPGP to verify the authenticity of the imported release.

This is not a hard requirement, just nice to have. Managing OpenPGP keys securely requires some effort. A good guide on the topic can be found at https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md/

[firecow]

Please provide a code block that signs and creates the right stuff in https://github.com/firecow/gitlab-ci-local/blob/master/publish-deb.

I already have a PGP key that I use to publish to the debian repository.

[ottok]

The publish-deb seems to be only about generating Debian packages, and the script seems correct.

Currently, the assets your GitHub releases announces are:

• linux.gz 36.1 MB
• macos.gz 29.2 MB
• win.gz 24.5 MB
• Source code (zip)
• Source code (tar.gz)

Where are these generated?

If I would generate these myself manually I would use the commands:

$ curl -LO https://github.com/firecow/gitlab-ci-local/archive/refs/tags/4.56.2.tar.gz
$ gpg -b --armor 4.56.2.tar.gz
gpg: using "CEE8DA88" as default secret key for signing
$ head 4.56.2.tar.gz.asc
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAmd69aAACgkQvthEn87o
2oinKA/+Jwn0BvmI8rnZfL5wab7CjLkchV1qr1wafOn+Ji/CrXDgiUILsTnWNZ/i
...

..but of course I can't reliably verify that curl gave me the authentic sources

[firecow]

Ah, the gz files are generated here https://github.com/firecow/gitlab-ci-local/blob/master/package.json#L12

[ottok]

Those lines look like they create the binaries. I guess the source .tar.gz is directly generated from GitHub. Maybe one can run locally `git archive --format=tar.gz 4.56.2 --output 4.56.2.tar.gz; gpg -b --armor 4.56.2.tar.gz` (not tested, just guessing).