Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no more signed releases? #3858

Closed
dvzrv opened this issue Oct 17, 2020 · 2 comments
Closed

no more signed releases? #3858

dvzrv opened this issue Oct 17, 2020 · 2 comments

Comments

@dvzrv
Copy link

dvzrv commented Oct 17, 2020

Hi! I'm currently rebuilding the 3.8.1 release for Arch Linux.

@marcusmueller Is there a reason why since 3.8.0.0 there have not been a) signed tags and b) signed release assets?

From a supply chain attack point-of-view this is currently a rather suboptimal situation. :-/
Do you plan on providing signed release assets in the future or do you drop this?
@maitbot
Copy link
Contributor

maitbot commented Oct 21, 2020

Prefer gpg detached sigs of the Release Asset tarballs with a .asc extension:
gnuradio-3.8.2.0.tar.xz -> gnuradio-3.8.2.0.tar.xz.asc

That would make uscan happy. Debian tooling likes a happy uscan.
(The sha256 and sha256.sig are not so helpful and can be dropped.)

@marcusmueller
Copy link
Member

Is there a reason why since 3.8.0.0 there have not been a) signed tags and b) signed release assets?

Hardware failure in secure key storage device and subsequent inability to access the master signing key nor derived keys. Aka, maintainer fail on my side.

Yes, I plan to re-establish this.

@dvzrv dvzrv closed this as completed Oct 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dvzrv @marcusmueller @maitbot