Open kretcheu opened 2 years ago
raboof
commented
2 years ago Tags are signed, so if you want verified sources I suggest you check out the repo. It'd be neat if GitHub would sign the tarballs they provide, but it looks like they don't. I'm not planning to publish my own tarballs. Does that work for you?
kretcheu
commented
2 years ago Hi, It's not mandatory, but it is a good practice.
On Debian packaging, build "robots" get tarball signed and verify signature.
There are a guide here: https://wiki.debian.org/Creating%20signed%20GitHub%20releases
Thanks.
raboof
commented
2 years ago I think if you want to 'verify whether what they received matches the same tarball you have released' I'd recommend you check out the tag from git and verify the signature on the tag, rather than getting the tarball. Signing both the tag and the tarball just provides opportunity for the two to get out of sync...
kretcheu
commented
2 years ago Thanks Raboof,
for my particular use it's ok, works fine. However when I maintain nethogs on Debian archive the procedure normally is like I sent to you.
I don't know if using this method is possible for Debian "robots" to do the same. I will search about it.
Did you have any difficulty doing something like that article? I think we can find out how to solve it.
Thanks for your work.
[]'s kretcheu :x
Hi,
should you sign tarball of 0.8.6 release.
Thanks.