Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: GPG-signed release tarballs #193

Closed
yan12125 opened this issue Mar 19, 2018 · 4 comments
Closed

Feature request: GPG-signed release tarballs #193

yan12125 opened this issue Mar 19, 2018 · 4 comments
Milestone
2.2.6

Comments

@yan12125
Copy link

Since #42, release tags are signed. Could you consider also sign release tarballs? For example, create a signature expat-2.2.5.tar.bz2.asc for the release tarball expat-2.2.5.tar.bz2. That would help people who use plain HTTP instead of git to fetch libexpat.
@hartwork
Copy link
Member

You'd still need a to limit the set of allowed keys to sign, right? Else, someone could do MITM and sign using his own key and it would pass the valid signature test. Do you have that infrastructure in place?

@yan12125
Copy link
Author

Yes. I'm building packages on Arch Linux, whose build system - makepkg - provides a feature to specify fingerprints for valid PGP keys for a package. See https://wiki.archlinux.org/index.php/PKGBUILD#validpgpkeys

@hartwork
Copy link
Member

Seen in PKGBUILD files before, excellent. I'll see what I can do!

@hartwork hartwork added this to the 2.2.6 milestone Mar 21, 2018
@hartwork hartwork mentioned this issue Aug 12, 2018
Closed
17 tasks
hartwork added a commit that referenced this issue Aug 12, 2018
@hartwork
Add script to create signed tarballs for upload (#193)
109275d
@hartwork
Copy link
Member

@yan12125 2.2.6 is the first release to come with a .asc file now. It was created using distribute.sh. If you run into any issues with that file please let me know.

@hartwork hartwork mentioned this issue Jun 19, 2019
Closed
23 tasks
@hartwork hartwork mentioned this issue Sep 8, 2019
Closed
26 tasks
@hartwork hartwork mentioned this issue Sep 25, 2019
Closed
15 tasks
@hartwork hartwork mentioned this issue Aug 20, 2020
Closed
22 tasks
@hartwork hartwork mentioned this issue Mar 19, 2021
Closed
24 tasks
@hartwork hartwork mentioned this issue May 11, 2021
Closed
53 tasks
@hartwork hartwork mentioned this issue May 23, 2021
Closed
25 tasks
@hartwork hartwork mentioned this issue Dec 17, 2021
Closed
26 tasks
@hartwork hartwork mentioned this issue Dec 30, 2021
Closed
27 tasks
@hartwork hartwork mentioned this issue Jan 27, 2022
Closed
25 tasks
@hartwork hartwork mentioned this issue Feb 11, 2022
Closed
27 tasks
@hartwork hartwork mentioned this issue Feb 20, 2022
Closed
27 tasks
@hartwork hartwork mentioned this issue Mar 3, 2022
Closed
27 tasks
@hartwork hartwork mentioned this issue Mar 28, 2022
Closed
27 tasks
@hartwork hartwork mentioned this issue Sep 14, 2022
Closed
27 tasks
@hartwork hartwork mentioned this issue Oct 24, 2022
Closed
27 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.2.6
Development

No branches or pull requests
2 participants
@hartwork @yan12125