jiangzd / memcached

Automatically exported from code.google.com/p/memcached
0 stars 0 forks source link

GPG signature for tar.gz releases #405

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Could you please provide GPG signatures for each of the .tar.gz releases as 
part of your release process?  It would be helpful for downstream distributors 
like the Fedora Project to quickly verify the integrity of their download if 
releases are signed by one of the prominent authors.

Example of Signing
==================
# gpg -a -b -s memcached-1.4.23.tar.gz

This creates a corresponding memcached-1.4.23.tar.gz.asc file.  Provide both 
the .tar.gz and a signature link for downloads for those who want to verify the 
integrity of the tarball.

Ideally the release manager or a prominent developer of the project would be 
the one signing the tarballs.  If they do not already have a GPG key, it would 
be a good time to create one now and announce the key signature to the 
community on the mailing list.

Example of Signing Identity
===========================
# gpg --fingerprint 0E604491
pub   2048R/0E604491 2013-04-30
      Key fingerprint = 8657 ABB2 60F0 56B1 E519  0839 D9C4 D26D 0E60 4491
uid                  Matt Caswell <matt@openssl.org>
uid                  Matt Caswell <frodo@baggins.org>
sub   2048R/E3C21B70 2013-04-30

This is one of the signers of openssl releases.

Example of Verification
=======================
http://openssl.org/source/
# wget http://openssl.org/source/openssl-1.0.2a.tar.gz
# wget http://openssl.org/source/openssl-1.0.2a.tar.gz.asc
# gpg --verify openssl-1.0.2a.tar.gz.asc
gpg: assuming signed data in `openssl-1.0.2a.tar.gz'
gpg: Signature made Thu 19 Mar 2015 03:31:21 AM HST using RSA key ID 0E604491
gpg: Good signature from "Matt Caswell <matt@openssl.org>"
gpg:                 aka "Matt Caswell <frodo@baggins.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner

Original issue reported on code.google.com by wtog...@gmail.com on 22 Apr 2015 at 7:18