Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing release packages and downloads #13204

Closed
cebe opened this issue Dec 14, 2016 · 9 comments
Closed

Signing release packages and downloads #13204

cebe opened this issue Dec 14, 2016 · 9 comments
Labels
severity:security type:enhancement
Milestone
infrastructure

Comments

@cebe
Copy link
Member

cebe commented Dec 14, 2016
edited
Loading

You might have seen Github showing singed commits: https://github.com/blog/2144-gpg-signature-verification

Imo we should apply this to the releases, i.e. sign the release tag and also the uploaded tar files.
PHP does this already: http://php.net/downloads.php#gpg-7.1
And eventually also composer would check these signatures: composer/composer#4022

Related resources:
@cebe cebe added this to the website and infrastructure milestone Dec 14, 2016
@resurtm
Copy link
Contributor

resurtm commented Dec 14, 2016
edited
Loading

Nice find! ;-) @cebe, you guys could also mention in contributing docs/readme that commits can be signed by the users as well. I personally would be happy to see the core developers signing their commits on permanent basis. Looks like a very nice feature!

@SilverFire
Copy link
Member

SilverFire commented Dec 15, 2016
edited
Loading

I sign all my commits that have code changes: 88f2348 88f2348 7d494c1 437825b

cebe added a commit that referenced this issue Dec 27, 2016
@cebe
added GPG signing to release controller
abac692 
issue #13204
@andrewhowdencom
Copy link

Warning about unsigned commit: https://github.com/andrewhowdencom/git-hooks/blob/master/post-commit

Sign by default: https://github.com/andrewhowdencom/dotfiles/blob/master/.gitincludes#L7

@klimov-paul
Copy link
Member

klimov-paul commented Jan 18, 2017
edited
Loading

What will happen with PR merge commit created at GitHub side by 'merge' button?

@samdark
Copy link
Member

samdark commented Jan 18, 2017
edited
Loading

It's not being signed.

@cebe
Copy link
Member Author

cebe commented Jan 18, 2017

Also things you edit on github are not signed.

@samdark
Copy link
Member

samdark commented Aug 2, 2017

Closing since releases are now signed.

@samdark samdark closed this as completed Aug 2, 2017
@cebe
Copy link
Member Author

cebe commented Aug 3, 2017

They kind of are, but we provide no information for people to verify that. Should be added.

@cebe cebe reopened this Aug 3, 2017
@samdark samdark mentioned this issue Aug 3, 2017
Open
@samdark
Copy link
Member

samdark commented Aug 3, 2017

Moved to contrib repo.

@samdark samdark closed this as completed Aug 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
severity:security type:enhancement
Projects
None yet
Milestone
infrastructure
Development

No branches or pull requests
6 participants
@samdark @resurtm @cebe @klimov-paul @SilverFire @andrewhowdencom