blitzmann
commented
2 years ago Assets are always generated via AppVeyor and uploaded to GitHub releases (when building from a tagged release). I thought that the AppVeyor build was spitting out hash values of the files it generates, but apparently that's not the case, whoops...
Granted, I understand it's not a good idea to just print the hash on the build log and expect people to check it manually Providing a checksum file is more appropriate. I don't have experience with digitally signing releases, I would assume we would take the files that we generate, sign them, add the sig file for the different assets to the release, and publish the public key?
Would need some research, currently the builds are self contained and I'm not sure if I can access assets from all builds at the end to sign.
Also PRs welcome if you have experience :D
Feature request: OpenPGP sign release assets
It would be nice to have the release assets digitally signed as a way to mitigate against supply chain compromises (Github has been compromised numerous times).
A signed message containing the hash values for every released asset (zip files, tarball files and executables) would do.