Closed heftig closed 1 year ago
dvdhrm
commented
1 year ago I only signed the tags so far, but with the rebuilt subprojects the tarballs might become more important. I uploaded a signature and amended the release-steps. Thanks for the heads-up!
bluca
commented
1 year ago Can you make the public key that does the tarball signature available (yes it can be fetched via the various keyservers, but nowadays those are mostly broken and to be avoided) please?
bluca
commented
1 year ago armored ascii format in SECURITY.md would be fine for example, so that it also shows up in the security tab
heftig
commented
1 year ago There's a public key at https://github.com/dvdhrm.gpg
bluca
commented
1 year ago Yes, but what I mean is that it should be explicitly documented as "this is the public key for releases"
dvdhrm
commented
1 year ago I added this information to our wiki front-page: https://github.com/bus1/dbus-broker/wiki#releases
Please provide detached GnuPG signatures for your tarballs instead of (or in addition to) mere sha256sums.
The latter only provides integrity protection, not authentication. Consumers of your releases might not be competent enough to audit the code to the point its authenticity no longer matters.