sign SHA256SUM files. #3525

graingert · 2017-06-19T11:09:41Z

gpg --detach-sign SHA256SUMS

graingert · 2017-06-19T11:12:27Z

If it were not for the fact that

SHA256 file is still downloadable from https://downloads.wkhtmltopdf.org/0.12/0.12.3/

It would have been impossible to share files found from the web as a temporary solution for those needing the file in #3518

However with signed SHA256SUM files everyone would know the provenance of the files, even if wkhtmltopdf.org were totally down.

ashkulz · 2017-06-19T11:32:14Z

Is that still a concern now that it's on github? Most projects releasing on Github don't even publish checksums...

graingert · 2017-06-19T11:33:08Z

@ashkulz I think it's different for browsers.

ashkulz · 2017-06-19T17:22:45Z

I'd still have to publish the gpg key, deal with key rotation, etc. Makes sense for a bigger project, just not this one I feel...

ashkulz · 2018-06-10T13:09:07Z

0.12.5 was signed with a GPG key, and I'll sign the sha256sums file as well once the binaries are uploaded.

not sure how to share the key, is there a recommended practice for that?

ashkulz · 2018-06-12T08:39:14Z

Packages for 0.12.5 are available using signed checksums.

graingert changed the title ~~sign SHASUM files.~~ sign SHA256SUM files. Jun 19, 2017

ashkulz added this to the 0.12.5 milestone Jun 10, 2018

ashkulz added the Fixed label Jun 11, 2018

ashkulz closed this as completed Jun 11, 2018

Provide feedback