Please sign releases with OpenPGP key

[jonathancross]

Thank you for creating this project and getting it into Homebrew.

Considering this is security software used to bootstrap a new system for verifying digital signatures, it would be great if you could sign releases using an OpenPGP key in the Strong Set (which is well established).

Please let me know if I can help in any way.

[jpouellet]

I don't have a long-term identity key anymore, but if you really want I could create another single-purpose signing-only key just for this on a separate machine. It wouldn't be in the strong set, but I don't think that matters.

It's probably easier for people to just audit the entire non-upstream source of this project (only ~200 lines) than to throughly vet a pgp trust path (and more useful, since I may be malicious or that key may become compromised anyway).

If you want, you can create a signed annotated git tag using whatever key you like, and I'd happily push it here too. That offer stands for anyone who wants to. One benefit of an annotated tag (besides just containing a signature covering a git sha and timestamp) is that it could also contain whatever message you would like to claim regarding having audited the source and/or verified the keys. I think such a system of distributed verification is much preferable to a single author signature.

[jonathancross]

Unfortunately, I would not consider myself qualified to review this project. Therefore I am not sure if a git tag signed by me would make sense.

Creating a new PGP key and using that to sign commits / releases would be okay. Would be much better if it was eventually signed by others and entered the strong set, maybe you could sign it with the old key 0x6FAF9081685B922D? (even if not actively used anymore). If you have the old private key still, you could of course renew it.