distribution packages should be GPG signed

[SethTisue]

as suggested by @jarrodu at scala/scala-lang#463

[evancox10]

Good timing, I would really like to see this.

FYI, even though you decided "not to do checksums" and just do gpg, the way the process usually works is that the checksum is stored in a file, and then a signature is provided for that file. See the Ubuntu releases for an example. (Don't copy their lack of https, however :)

Generating the checksums is easy (sha256sum *.deb > checksums.txt), the hard part will be determining the security practices for the signing key. You might look into a HW solution like Yubikey. I have not used this for code signing but I think it would work well. There are numerous guides, here's a simple and straight-forward one: https://eclipsesource.com/blogs/2016/11/25/yubikey-code-signing-with-a-smart-card/

Thanks,
Evan

[NthPortal]

@evancox10 The jars are already signed when they're published to Maven Central (see 2.12.6 for example), so I assume there's already a key that can easily be used for this

[SethTisue]

@hamzaremmal since you're looking at related work for Scala 3, just FYI that this ticket exists and never attracted much attention 🤷

[SethTisue]

note that https://scala-lang.org/security/ exists now (since scala/scala-lang#1661), so we now have a central place where we can put information about this sort of thing