GnuPG-signed releases

[sim6]

Please, could you provide GnuPG-signed releases?

https://wiki.debian.org/Creating%20signed%20GitHub%20releases

[Half-Shot]

Releases are signed.

[sim6]

Yes, you singed the git tag. But I cannot find the signature of the tar.gz.

[Half-Shot]

Github handles tar.gz's automatically. You'd need @erikjohnston to manually upload each one and sign it himself.

[richvdh]

To be fair, we sorted this for riot. You can just upload the sig and let github build the tgz.

On 23 March 2017 23:06:02 GMT+00:00, Will Hunt notifications@github.com wrote:

Github handles tar.gz's automatically. You'd need @erikjohnston to manually upload each one and sign it himself.

-- You are receiving this because you modified the open/close state. Reply to this email directly or view it on GitHub: https://github.com/matrix-org/synapse/issues/2036#issuecomment-288887156

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[Half-Shot]

Oh neat, didn't know GH did this. I think that's a fair and easy request then :smile:

[cyphar]

Any update on this? New releases still don't have PGP signatures for the tarballs. For context, I'm updating the matrix-synapse package on openSUSE and our build system supports checking PGP signatures on source archives which would allow us to provide more assurance to our users that the archives we use for building actually come from the Matrix project.