Closed heftig closed 1 year ago
I only signed the tags so far, but with the rebuilt subprojects the tarballs might become more important. I uploaded a signature and amended the release-steps. Thanks for the heads-up!
Can you make the public key that does the tarball signature available (yes it can be fetched via the various keyservers, but nowadays those are mostly broken and to be avoided) please?
armored ascii format in SECURITY.md would be fine for example, so that it also shows up in the security tab
There's a public key at https://github.com/dvdhrm.gpg
Yes, but what I mean is that it should be explicitly documented as "this is the public key for releases"
I added this information to our wiki front-page: https://github.com/bus1/dbus-broker/wiki#releases
Please provide detached GnuPG signatures for your tarballs instead of (or in addition to) mere sha256sums.
The latter only provides integrity protection, not authentication. Consumers of your releases might not be competent enough to audit the code to the point its authenticity no longer matters.