GPG signatures for source validation

[NicoHood]

As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code.

The Arch Linux team would appreciate it if you would provide us GPG signatures in order to verify easily and quickly of your source code releases.

Overview of the required tasks:

• Please create and/or use a 4096-bit RSA keypair for the file signing
• The key may be used for email encryption too
• Keep your key secret, use a strong unique passphrase for the key
• Sign every new commit by default
• Sign new tags
• Verify the Github Release tarball download against your local source
• Sign Github Release tarballs

Additional Information:


• https://help.github.com/categories/gpg/
• https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
https://www.qubes-os.org/doc/verifying-signatures/
• https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

Thanks.

[NicoHood]

Could you please sign the new release?

[NicoHood]

5.0 is out and still no GPG signatures. @aschnell could you please sign the release tarballs?

[NicoHood]

@jsrain any updates?