ossama-othman
commented
2 years ago Additional Notes
GitHub Documentation: Signing tags Debian Wiki: Creating signed GitHub releases
Closed matttbe closed 1 year ago
ossama-othman
commented
2 years ago GitHub Documentation: Signing tags Debian Wiki: Creating signed GitHub releases
matttbe
commented
2 years ago @ossama-othman : I see that the v0.10 release has been signed (there is a .sig file), thank you for that!
I'm just confused now because this task is planned for v0.11. Do you still need to do more? What is probably missing is to publish the public key somewhere, e.g. wiki, doc, keyserver.ubuntu.com :-) (and maybe have this key signed by others :) )
$ gpg --verify mptcpd-0.10.tar.gz.sig
gpg: assuming signed data in 'mptcpd-0.10.tar.gz'
gpg: Signature made Fri 24 Jun 2022 22:43:05 CEST
gpg: using RSA key CFD26ABD50BEDF3FC7E018403EF2B8C1B2BD215A
gpg: Can't check signature: No public keyI'm just confused now because this task is planned for v0.11. Do you still need to do more? What is probably missing is to publish the public key somewhere, e.g. wiki, doc, keyserver.ubuntu.com :-) (and maybe have this key signed by others :) )
@matttbe I was planning on adding a Makefile target to generate the .sig file, but I didn't get around to doing that for the v0.11 release. I also uploaded my public key to keyserver.ubuntu.com, but it hasn't been signed by anyone else yet.
Is your feature request related to a problem? Please describe.
According to the Debian guidelines, it is a good practice to sign all releases made by a project: git tags and tarballs.
Source: https://lintian.debian.org/tags/debian-watch-does-not-check-gpg-signature
Describe the solution you'd like
Sign git tags and tarballs. For the tarballs, please ideally use the same name +
.sigor.sign(or similar).Describe alternatives you've considered
It is a recommendation that seems to make sense, up to you ;-)
Additional context
It is common to see
.sigor.signfiles for projects strongly linked to the Linux kernel, e.g. iproute2, iwd, libnl, etc.