-
Notifications
You must be signed in to change notification settings - Fork 430
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: GPG-signed release tarballs #193
Comments
You'd still need a to limit the set of allowed keys to sign, right? Else, someone could do MITM and sign using his own key and it would pass the valid signature test. Do you have that infrastructure in place? |
Yes. I'm building packages on Arch Linux, whose build system - makepkg - provides a feature to specify fingerprints for valid PGP keys for a package. See https://wiki.archlinux.org/index.php/PKGBUILD#validpgpkeys |
Seen in PKGBUILD files before, excellent. I'll see what I can do! |
@yan12125 2.2.6 is the first release to come with a .asc file now. It was created using |
Since #42, release tags are signed. Could you consider also sign release tarballs? For example, create a signature expat-2.2.5.tar.bz2.asc for the release tarball expat-2.2.5.tar.bz2. That would help people who use plain HTTP instead of git to fetch libexpat.
The text was updated successfully, but these errors were encountered: