Closed NicoHood closed 6 years ago
Sorry for the delay, I was in vacation. Will work on this.
@walac any progress on that? twine
creates beautiful signed releases on pypi (-i switch) and gpgit
does the same for Github releases along with a general GPG guide. It would be nice if you can also sign this python module.
Cheers Nico
Hi, I configured signed commits some time ago, but didn't make any since then. Quite busy semester, left me a big backlog to handle, hopefully starting in July when things settle a bit in work.
I understand. You can sign an older release also with GPGit. Just run it with the same version tag and it will resign the specified tag :) Do it when you got time, but especially for the next release it is of high importance. Thanks
@walac The latest release 1.0.1 is not tagged on Github, nor GPG signed on pypi. Can you please tag it along with GPG signatures? Thanks.
Sorry, it was pushed by someone else to fix #180
Notice that signing every commit is unfeasible because of code comming from contributors and merge commits.
@walac @NicoHood I did no git tagging because of missing write access. @walac may you be so kind and add a tag?
@walac oh, just seen you already tagged. sorry for the noise
@walac it will be sufficient if you provide us with a gpg signed tarball. This can be done with twine using the -s option if i remember correct. You need to make sure that the source of the tarball is whats from the git of course. You can also use my tool gpgit or do the signing manual. Its simple: https://github.com/NicoHood/gpgit
@NicoHood I wrote some code yesterday night to automate this, will push a 1.0.2 version with signed tarball soon (hopefully until this weekend).
I need to look at gpgit, it might not only be useful for PyUSB, for for things on my job too :)
@walac Thanks! I have updated the package with the signature of the fingerprint B04841AE800C1BF01FE1BC3D084C5584542E1574
.
As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code.
The Arch Linux team would appreciate it if you would provide us GPG signatures in order to verify easily and quickly of your source code releases.
Overview of the required tasks:
Additional Information:
Thanks.