Closed krathalan closed 3 years ago
Thanks! That is a really good idea. I will definitely do that when a next release is due.
Yeah! But what key did you sign it with?
anders@desktop ~/downloads
> ls
viu-1.1.tar.gz viu-1.1.tar.gz.asc
anders@desktop ~/downloads
> gpg --verify viu-1.1.tar.gz.asc
gpg: assuming signed data in 'viu-1.1.tar.gz'
gpg: Signature made Fri 18 Sep 2020 01:25:26 PM PDT
gpg: using RSA key B195BADA40BEF20E4907A5AC628280A0217A7B0F
gpg: Can't check signature: No public key
X anders@desktop ~/downloads
> gpg --recv-keys B195BADA40BEF20E4907A5AC628280A0217A7B0F
gpg: keyserver receive failed: No data
Did you upload your key to a keyserver? I can't find anywhere to get your public key (B195BADA40BEF20E4907A5AC628280A0217A7B0F).
Oh, I see. You should be able to fetch it now with recv-keys
.
Still having issues with recv-keys
.... sometimes keys can take a few days to percolate through all the different keyservers. I'll check again in a few days :)
That's a shame. Link to key
Works :) yay.
> gpg --verify viu-1.1.tar.gz.asc
gpg: assuming signed data in 'viu-1.1.tar.gz'
gpg: Signature made Fri 18 Sep 2020 01:25:26 PM PDT
gpg: using RSA key B195BADA40BEF20E4907A5AC628280A0217A7B0F
gpg: Good signature from "Atanas Yankov <atanas.yankov98@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B195 BADA 40BE F20E 4907 A5AC 6282 80A0 217A 7B0F
Not sure how familiar you are with GPG stuff, but the "WARNING" is okay as long as the "Good signature" message is present. You can read more about that here: https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key
You might also want to add a note in the README with your GPG fingerprint (B195BADA40BEF20E4907A5AC628280A0217A7B0F).
Awesome, thanks for the help. It looks like I need a to do a deeper dive into GPG, it is quite interesting. More so when it "clicks", of course.
Added fingerprint in the readme and signatures for both tar.gz and binary. Thanks again!
It would be nice if you could sign release versions source code .tar.gz (e.g. https://github.com/atanunq/viu/releases/tag/v1.0) with a PGP/GPG key and attach the signature to the tag. If you need help, the Arch wiki has a good section on it: https://wiki.archlinux.org/index.php/GPG#Signatures
You'd want a detached signature so that you can attach it as a separate file. You could also add signatures for the attached binary.