Closed jericht closed 8 months ago
We need to sign our GitHub release artifacts with gpg so that users can verify their downloads
gpg
Sign our GitHub release artifacts with gpg in our Release: Publish workflow and distribute the PGP signature files on the GitHub release page
Release: Publish
Users can verify their downloads using our PGP signature files and public key
Verified this is working on my test repository (ping me for access if you don't have it)
Verified changing to printenv is working:
printenv
PRE-MERGE CHECKLIST
AWS_PGP_KEY_SECRET_ROLE
release
AWS_PGP_KEY_SECRET
mainline
No
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
What was the problem/requirement? (What/Why)
We need to sign our GitHub release artifacts with
gpgso that users can verify their downloadsWhat was the solution? (How)
Sign our GitHub release artifacts with
gpgin ourRelease: Publishworkflow and distribute the PGP signature files on the GitHub release pageWhat is the impact of this change?
Users can verify their downloads using our PGP signature files and public key
How was this change tested?
Verified this is working on my test repository (ping me for access if you don't have it)
Verified changing to
printenvis working:PRE-MERGE CHECKLIST
AWS_PGP_KEY_SECRET_ROLEsecret has been added to thereleaseenvironmentAWS_PGP_KEY_SECRETsecret has been added to thereleaseenvironmentmainlineas a branch allowed to usereleaseenvironmentWas this change documented?
No
Is this a breaking change?
No
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.