When run, this script will pull down the .zip and .tar.gz that correspond to the tag on GitHub matching the version field in the meson.build file. It will then detached-sign both archive files with the system default GPG key, verify those signatures, and delete the archive files. What remains will look like this:
signatures/
├── 0.01.tar.gz.asc
└── 0.01.zip.asc
These signatures can then be uploaded as release artifacts for the corresponding tag to allow packagers to ensure the validity of the archives. A version of this script is used to sign Waycheck release archives.
When run, this script will pull down the
.zipand.tar.gzthat correspond to the tag on GitHub matching theversionfield in the meson.build file. It will then detached-sign both archive files with the system default GPG key, verify those signatures, and delete the archive files. What remains will look like this:These signatures can then be uploaded as release artifacts for the corresponding tag to allow packagers to ensure the validity of the archives. A version of this script is used to sign Waycheck release archives.