GPG signatures for source validation

[NicoHood]

As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code.

The Arch Linux team would appreciate it if you would provide us GPG signatures in order to verify easily and quickly of your source code releases.

Overview of the required tasks:

• Please create and/or use a 4096-bit RSA keypair for the file signing
• The key may be used for email encryption too
• Keep your key secret, use a strong unique passphrase for the key
• Sign every new commit by default
• Sign new tags
• Verify the Github Release tarball download against your local source
• Sign Github Release tarballs

Additional Information:


• https://help.github.com/categories/gpg/
• https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
https://www.qubes-os.org/doc/verifying-signatures/
• https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

Thanks.

[walac]

Sorry for the delay, I was in vacation. Will work on this.

[NicoHood]

@walac any progress on that? twine creates beautiful signed releases on pypi (-i switch) and gpgit does the same for Github releases along with a general GPG guide. It would be nice if you can also sign this python module.

Cheers Nico

[walac]

Hi, I configured signed commits some time ago, but didn't make any since then. Quite busy semester, left me a big backlog to handle, hopefully starting in July when things settle a bit in work.

[NicoHood]

I understand. You can sign an older release also with GPGit. Just run it with the same version tag and it will resign the specified tag :) Do it when you got time, but especially for the next release it is of high importance. Thanks

[NicoHood]

@walac The latest release 1.0.1 is not tagged on Github, nor GPG signed on pypi. Can you please tag it along with GPG signatures? Thanks.

[walac]

Sorry, it was pushed by someone else to fix #180

[walac]

Notice that signing every commit is unfeasible because of code comming from contributors and merge commits.

[rnixx]

@walac @NicoHood I did no git tagging because of missing write access. @walac may you be so kind and add a tag?

[rnixx]

@walac oh, just seen you already tagged. sorry for the noise

[NicoHood]

@walac it will be sufficient if you provide us with a gpg signed tarball. This can be done with twine using the -s option if i remember correct. You need to make sure that the source of the tarball is whats from the git of course. You can also use my tool gpgit or do the signing manual. Its simple: https://github.com/NicoHood/gpgit

[walac]

@NicoHood I wrote some code yesterday night to automate this, will push a 1.0.2 version with signed tarball soon (hopefully until this weekend).

I need to look at gpgit, it might not only be useful for PyUSB, for for things on my job too :)

[NicoHood]

@walac Thanks! I have updated the package with the signature of the fingerprint B04841AE800C1BF01FE1BC3D084C5584542E1574.