Provide PGP signatures for release versions

atanunq / viu

Terminal image viewer with native support for iTerm and Kitty

MIT License

2.53k stars 56 forks source link

Provide PGP signatures for release versions #46

Closed krathalan closed 3 years ago

krathalan commented 4 years ago

It would be nice if you could sign release versions source code .tar.gz (e.g. https://github.com/atanunq/viu/releases/tag/v1.0) with a PGP/GPG key and attach the signature to the tag. If you need help, the Arch wiki has a good section on it: https://wiki.archlinux.org/index.php/GPG#Signatures

You'd want a detached signature so that you can attach it as a separate file. You could also add signatures for the attached binary.

atanunq commented 4 years ago

Thanks! That is a really good idea. I will definitely do that when a next release is due.

atanunq commented 3 years ago

Is this how you imagined it would look like? v1.1

krathalan commented 3 years ago

Yeah! But what key did you sign it with?

 anders@desktop ~/downloads
 > ls
viu-1.1.tar.gz  viu-1.1.tar.gz.asc

 anders@desktop ~/downloads
 > gpg --verify viu-1.1.tar.gz.asc
gpg: assuming signed data in 'viu-1.1.tar.gz'
gpg: Signature made Fri 18 Sep 2020 01:25:26 PM PDT
gpg:                using RSA key B195BADA40BEF20E4907A5AC628280A0217A7B0F
gpg: Can't check signature: No public key

 X anders@desktop ~/downloads
 > gpg --recv-keys B195BADA40BEF20E4907A5AC628280A0217A7B0F
gpg: keyserver receive failed: No data

Did you upload your key to a keyserver? I can't find anywhere to get your public key (B195BADA40BEF20E4907A5AC628280A0217A7B0F).

atanunq commented 3 years ago

Oh, I see. You should be able to fetch it now with recv-keys.

krathalan commented 3 years ago

Still having issues with recv-keys.... sometimes keys can take a few days to percolate through all the different keyservers. I'll check again in a few days :)

atanunq commented 3 years ago

That's a shame. Link to key

krathalan commented 3 years ago

Works :) yay.

 > gpg --verify viu-1.1.tar.gz.asc
gpg: assuming signed data in 'viu-1.1.tar.gz'
gpg: Signature made Fri 18 Sep 2020 01:25:26 PM PDT
gpg:                using RSA key B195BADA40BEF20E4907A5AC628280A0217A7B0F
gpg: Good signature from "Atanas Yankov <atanas.yankov98@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B195 BADA 40BE F20E 4907  A5AC 6282 80A0 217A 7B0F

Not sure how familiar you are with GPG stuff, but the "WARNING" is okay as long as the "Good signature" message is present. You can read more about that here: https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key

You might also want to add a note in the README with your GPG fingerprint (B195BADA40BEF20E4907A5AC628280A0217A7B0F).

atanunq commented 3 years ago

Awesome, thanks for the help. It looks like I need a to do a deeper dive into GPG, it is quite interesting. More so when it "clicks", of course.

atanunq commented 3 years ago

Added fingerprint in the readme and signatures for both tar.gz and binary. Thanks again!