New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Latest 3.12.0 release does not have GPG signature #5533
Comments
Hello @ainola ! |
@dyfer Thanks for also looking into the PGP signature for the source tarball. Can you please upload the public key with the ID Also, does it feature a signature by @mossheim who has been signing the previous releases (this ensures an intact chain of trust from one developer to the next)? |
Following up in a private conversation, it appears that the signature will not happen. For some background information on the script that creates tarball and signature, please have a look at #4837 The PGP signature is created to provide downstream consumers with an assurance, that the release has been created by you (e.g. "the release manager"). In the case where there are multiple developers issuing releases and PGP signatures are issued for releases, the PGP keys should be cross-signed (e.g. the keys signed each other and the signatures are available on keyservers or on the individual's WKD). Alternatively (or additionally) one may add a section to the README or a dedicated document, that states the expected developers who are responsible for creating releases and their respective PGP key IDs. In that case the first person (see TOFU) to sign releases (in this case @dyfer) would create that section, add themselves to it using a signed commit and only add additional entries using signed commits as well (people represented by additions to the document may then add/remove further themselves, etc.). This way it is easy for downstreams to spot who is expected to craft releases for the project and to follow up on the chain of trust (e.g. either due to the document's history or the keys' signatures amongst one another). |
I've added my GPG public key to my github account. I believe this solves this issue. I'd like to discuss changes to the README in a separate ticket. Feel free to reopen if I'm missing anything! |
Replace the incumbent GPG signature with dyfer's See supercollider/supercollider#5533 git-svn-id: file:///srv/repos/svn-community/svn@998336 9fca08f4-af9d-4005-b8df-a31f2cc04f65
Replace the incumbent GPG signature with dyfer's See supercollider/supercollider#5533 git-svn-id: file:///srv/repos/svn-community/svn@998336 9fca08f4-af9d-4005-b8df-a31f2cc04f65
Hello! Thanks for your work on releasing 3.12.0! Unlike 3.11.x, 3.12.0 does not feature an .asc file with which to verify downloads. Could that be added for packagers, please? Thanks!
The text was updated successfully, but these errors were encountered: