zdohnal
commented
3 years ago Hi @NicoHood ,
thanks for the tip, I used the commands from your script for now (better to understand what needs to be done and how at first, then use scripts :) ).
I created a new release with attached signatures, I will not go for signing commits for now (I hope signing tarballs suffices). I checked the resulting tarballs via f.e.
gpg --verify system-config-printer-1.5.14.tar.bz2.asc system-config-printer-1.5.14.tar.bz2and I got good signature result. So IMO it is fixed, please feel free to check and let me know if there is an problem.
NicoHood
As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of GNU/Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code. With GPG signatures it is possible for packagers to verify source code releases quickly and easily.
In order to securely package your software I am kindly requesting GPG signatures for the source tarballs. If you are not yet familiar with secure source code signing I recommend using GPGit which automates the process of secure source code signing and also has a quick start guide on GPG for learning how to use it manually.
Thanks in advance.